From 21810063d0851fb88623d0458fa4fc2cd054b0db Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 26 Jul 2018 23:23:11 +0200 Subject: Disable scripting in HTML-embedding objects where webglHook cannot run, if webgl not allowed. --- src/bg/RequestGuard.js | 15 ++++++++++++--- src/bg/RequestUtil.js | 12 ++++-------- src/content/content.js | 4 ++-- src/content/media.js | 2 +- src/content/webglHook.js | 2 +- 5 files changed, 20 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js index 5a281fb..d13bf4b 100644 --- a/src/bg/RequestGuard.js +++ b/src/bg/RequestGuard.js @@ -390,8 +390,17 @@ var RequestGuard = (() => { if (policy.autoAllowTop && request.type === "main_frame" && perms === policy.DEFAULT) { policy.set(Sites.optimalKey(url), perms = policy.TRUSTED.tempTwin); } - + let {capabilities} = perms; + let isObject = request.type === "object"; + if (isObject && !capabilities.has("webgl")) { // we can't inject webglHook + debug("Disabling scripts in object %s to prevent webgl abuse", url); + capabilities = new Set(capabilities); + capabilities.delete("script"); + let r = Object.assign({}, request, {type: "webgl"}); + TabStatus.record(r, "blocked"); + Content.reportTo(r, false, "webgl"); + } let canScript = capabilities.has("script"); let blockedTypes; @@ -419,7 +428,7 @@ var RequestGuard = (() => { blocker = CSP.createBlocker(...blockedTypes); } - if (canScript) { + if (canScript && !isObject) { if (!capabilities.has("webgl")) { RequestUtil.executeOnStart(request, { file: "/content/webglHook.js" @@ -427,7 +436,7 @@ var RequestGuard = (() => { } if (!capabilities.has("media")) { RequestUtil.executeOnStart(request, { - code: "window.mediaBlocker = correctFrame();" + code: "window.mediaBlocker = true;" }); } diff --git a/src/bg/RequestUtil.js b/src/bg/RequestUtil.js index 690d7ba..a5af09e 100644 --- a/src/bg/RequestUtil.js +++ b/src/bg/RequestUtil.js @@ -24,14 +24,13 @@ let scripts = pendingScripts.get(requestId); if (!scripts) return -1; pendingScripts.delete(requestId); - - let where = type === "object" ? {allFrames: true} : {frameId}; let count = 0; let run = async details => { details = Object.assign({ runAt: "document_start", matchAboutBlank: true, - }, details, where); + frameId + }, details); try { let res; for (let attempts = 10; attempts-- > 0;) { @@ -49,17 +48,14 @@ error(e, "Execute on start failed", url, details); } }; - - await run({code: `void(window.correctFrame = () => "${url}" === document.URL && document.readyState === "loading")`}); await Promise.all([...scripts.values()].map(run)); - await run({code: `void(window.correctFrame = () => false)`}); return count; }; { let filter = { urls: [""], - types: ["main_frame", "sub_frame", "object"] + types: ["main_frame", "sub_frame"] }; let wr = browser.webRequest; for (let event of ["onCompleted", "onErrorOccurred"]) { @@ -81,7 +77,7 @@ executeOnStart(request, details) { let {requestId, url, tabId, frameId, statusCode, type} = request; - if (statusCode >= 300 && statusCode < 400) return; + if (statusCode >= 300 && statusCode < 400 || type === "object") return; if (frameId === 0) { let key = tabKey(tabId, url); debug("Checking whether %s is a reloading tab...", key); diff --git a/src/content/content.js b/src/content/content.js index dd847f0..aea705e 100644 --- a/src/content/content.js +++ b/src/content/content.js @@ -100,8 +100,8 @@ async function init(oldPage = false) { } queryingCanScript = true; - debug(`init() called in document %s, contentType %s readyState %s`, - document.URL, document.contentType, document.readyState); + debug(`init() called in document %s, contentType %s readyState %s, frameElement %o`, + document.URL, document.contentType, document.readyState, window.frameElement && frameElement.data); try { let {canScript, shouldScript} = await browser.runtime.sendMessage({type: "canScript"}); diff --git a/src/content/media.js b/src/content/media.js index ead6e05..5a6827a 100644 --- a/src/content/media.js +++ b/src/content/media.js @@ -1,4 +1,4 @@ -if (correctFrame()) { +{ debug("Media Hook (blocked %s)", !!window.mediaBlocker, document.URL, document.documentElement && document.documentElement.innerHTML); (() => { let unpatched = new Map(); diff --git a/src/content/webglHook.js b/src/content/webglHook.js index 39637e2..171ce59 100644 --- a/src/content/webglHook.js +++ b/src/content/webglHook.js @@ -1,4 +1,4 @@ -if (correctFrame()) { +{ debug("WebGL Hook", document.URL, document.documentElement && document.documentElement.innerHTML); let proto = HTMLCanvasElement.prototype; let getContext = proto.getContext; -- cgit v1.2.3