From d1dd278a81444e2203945fc213a4b69ed1ee49a7 Mon Sep 17 00:00:00 2001
From: hackademix
Date: Thu, 14 Mar 2019 01:57:58 +0100
Subject: Selective handling of Tor Browser options and work-around for
 https://bugzilla.mozilla.org/show_bug.cgi?id=1532530

---
 src/xss/XSS.js | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

(limited to 'src/xss/XSS.js')

diff --git a/src/xss/XSS.js b/src/xss/XSS.js
index f95ea04..b7bffce 100644
--- a/src/xss/XSS.js
+++ b/src/xss/XSS.js
@@ -114,6 +114,13 @@ var XSS = (() => {
   return {
     async start() {
       let {onBeforeRequest} = browser.webRequest;
+      let  {xssScanRequestBody} = ns.sync;
+      if (xssScanRequestBody !== this.xssScanRequestBody) {
+        this.stop();
+        this.xssScanRequestBody = xssScanRequestBody;
+      }
+      this.xssBlockUnscannedPOST = ns.sync.xssBlockUnscannedPOST;
+
       if (onBeforeRequest.hasListener(requestListener)) return;
 
       await include("/legacy/Legacy.js");
@@ -135,7 +142,9 @@ var XSS = (() => {
       onBeforeRequest.addListener(requestListener, {
         urls: ["*://*/*"],
         types: ["main_frame", "sub_frame", "object"]
-      }, ["blocking", "requestBody"]);
+      },
+        // work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=1532530
+        xssScanRequestBody ? ["blocking", "requestBody"] : ["blocking"]);
     },
 
     stop() {
@@ -233,8 +242,11 @@ var XSS = (() => {
       ic.reset();
 
       let postInjection = xssReq.isPost &&
-        request.requestBody && request.requestBody.formData &&
-        ic.checkPost(request.requestBody.formData, skipParams);
+       (XSS.xssScanRequestBody ?
+          request.requestBody && request.requestBody.formData &&
+            ic.checkPost(request.requestBody.formData, skipParams)
+        : XSS.xssBlockUnscannedPOST && ns.requestCan(request, "script") && _("UnscannedXPost")
+      );
 
       let protectName = ic.nameAssignment;
       let urlInjection = ic.checkUrl(destUrl, skipRx);
-- 
cgit v1.2.3