From db4a5cb502854360386b1b76ccaa1779f4e263ce Mon Sep 17 00:00:00 2001
From: hackademix
Date: Thu, 26 Sep 2019 16:40:08 +0200
Subject: Fixed "Cascade top document restrictions" option not always applied
 to embedded elements.

---
 src/bg/RequestGuard.js | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

(limited to 'src/bg/RequestGuard.js')

diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js
index a3631c8..fc402db 100644
--- a/src/bg/RequestGuard.js
+++ b/src/bg/RequestGuard.js
@@ -261,6 +261,19 @@ var RequestGuard = (() => {
     return redirected;
   }
 
+  function intersectCapabilities(perms, frameAncestors) {
+    if (frameAncestors && frameAncestors.length > 0 && ns.sync.cascadeRestrictions) {
+      // cascade top document's restrictions to subframes
+      let topUrl = frameAncestors[frameAncestors.length - 1].url;
+      let topPerms = ns.policy.get(topUrl, topUrl).perms;
+      if (topPerms !== perms) {
+        let topCaps = topPerms.capabilities;
+        return new Set([...perms.capabilities].filter(c => topCaps.has(c)));
+      }
+    }
+    return perms.capabilities;
+  }
+
   const ABORT = {cancel: true}, ALLOW = {};
   const listeners = {
     onBeforeRequest(request) {
@@ -281,13 +294,18 @@ var RequestGuard = (() => {
             // livemark request or similar browser-internal, always allow;
             return ALLOW;
           }
+
           if (/^(?:data|blob):/.test(url)) {
             request._dataUrl = url;
             request.url = url = documentUrl;
           }
           let allowed = Sites.isInternal(url) ||
             !ns.isEnforced(request.tabId) ||
-            policy.can(url, policyType, originUrl);
+            intersectCapabilities(
+                policy.get(url, documentUrl).perms,
+                request.frameAncestors
+              ).has(policyType);
+
           Content.reportTo(request, allowed, policyType);
           if (!allowed) {
             debug(`Blocking ${policyType}`, request);
@@ -319,8 +337,7 @@ var RequestGuard = (() => {
         pending = pendingRequests.get(request.requestId);
       }
       pending.headersProcessed = true;
-      let {url, documentUrl, frameAncestors, statusCode, tabId,
-          responseHeaders, type} = request;
+      let {url, documentUrl, tabId, responseHeaders, type} = request;
       let isMainFrame = type === "main_frame";
       try {
         let capabilities;
@@ -334,17 +351,7 @@ var RequestGuard = (() => {
             }
             capabilities = perms.capabilities;
           } else {
-            capabilities = perms.capabilities;
-            if (frameAncestors && frameAncestors.length > 0 && ns.sync.cascadeRestrictions) {
-              // cascade top document's restrictions to subframes
-              let topUrl = frameAncestors.pop().url;
-              let topPerms = policy.get(topUrl, topUrl).perms;
-              if (topPerms !== perms) {
-                let topCaps = topPerms.capabilities;
-                // intersect capabilities
-                capabilities = new Set([...capabilities].filter(c => topCaps.has(c)));
-              }
-            }
+            capabilities = intersectCapabilities(perms, request.frameAncestors);
           }
         } else {
           if (isMainFrame || type === "sub_frame") {
-- 
cgit v1.2.3