diff options
Diffstat (limited to 'src/content')
| -rw-r--r-- | src/content/DocumentCSP.js | 4 | ||||
| -rw-r--r-- | src/content/staticNS.js | 16 |
2 files changed, 17 insertions, 3 deletions
diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js index 7632ce7..ade9013 100644 --- a/src/content/DocumentCSP.js +++ b/src/content/DocumentCSP.js @@ -25,11 +25,11 @@ class DocumentCSP { try { parent.insertBefore(meta, parent.firstChild); - debug(`Failsafe <meta> CSP inserted in the DOM: "%s"`, header.value); + debug(`Failsafe <meta> CSP inserted in %s: "%s"`, document.URL, header.value); meta.remove(); if (!head) parent.remove(); } catch (e) { - error(e, "Error inserting CSP %s in the DOM", header && header.value); + error(e, "Error inserting CSP %s in %s", document.URL, header && header.value); } } diff --git a/src/content/staticNS.js b/src/content/staticNS.js index 6002bfd..0cd254c 100644 --- a/src/content/staticNS.js +++ b/src/content/staticNS.js @@ -51,7 +51,9 @@ // to store per-tab information, erasing it as soon as we see it // (before any content can access it) - if (this.config.MARKER = MARKER) { + let checkUnrestricted = challenge => sha256(`${MARKER}:${challenge}`); + + if ((this.config.MARKER = MARKER) && permissions) { let cookieRx = new RegExp(`(?:^|;\\s*)(${MARKER}(?:_\\d+){2})=([^;]*)`); let match = document.cookie.match(cookieRx); if (match) { @@ -63,9 +65,21 @@ } catch (e) { error(e); } + } else if (window !== window.top) { + // The cookie hack won't work for non-HTTP subframes (issue #48), + // or the cookie might have been deleted in a race condition, + // so here we try to check the parent + let checkParent = parent.wrappedJSObject.checkNoScriptUnrestricted; + if (checkParent) { + let challenge = uuid(); + let unrestricted = checkParent(challenge) === checkUnrestricted(challenge); + this.config.tabInfo = {unrestricted, inherited: true}; + } } } + if (!this.config.permissions || this.config.tabInfo.unrestricted) { + exportFunction(checkUnrestricted, window, {defineAs: "checkNoScriptUnrestricted"}); debug("%s is loading unrestricted by user's choice (%o).", document.URL, this.config); this.allows = () => true; this.capabilities = Object.assign( |