From 5aff2e1d83cbe6bbaf6ae6db0fed41adc456286d Mon Sep 17 00:00:00 2001
From: hackademix
Date: Wed, 18 Mar 2020 22:51:07 +0100
Subject: Prevent ANY redirection to data: URIs in documents.
---
src/bg/ReportingCSP.js | 6 +++---
src/content/content.js | 11 +++++++++++
src/lib/CSP.js | 4 ++--
3 files changed, 16 insertions(+), 5 deletions(-)
(limited to 'src')
diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js
index 2da1bbc..e7ffe0a 100644
--- a/src/bg/ReportingCSP.js
+++ b/src/bg/ReportingCSP.js
@@ -35,11 +35,11 @@ function ReportingCSP(reportURI, reportGroup) {
h.name === REPORT_TO.name && h.value === REPORT_TO.value) {
needsReportTo = false;
} else if (blocker && /^(Location|Refresh)$/i.test(h.name)) {
+ // neutralize any HTTP redirection to data: URLs, like Chromium
let url = /^R/i.test(h.name)
? h.value.replace(/^[^,;]*[,;]url[^\w=]*=\s*/i, "") : h.value;
- let patched = CSP.patchDataURI(url, blocker);
- if (patched !== url) {
- h.value = h.value.slice(0, -url.length) + patched;
+ if (/^data:/i.test(url)) {
+ h.value = h.value.slice(0, -url.length) + "data:";
}
}
}
diff --git a/src/content/content.js b/src/content/content.js
index 3862a58..43827a2 100644
--- a/src/content/content.js
+++ b/src/content/content.js
@@ -114,3 +114,14 @@ ns.on("capabilities", () => {
ns.fetchPolicy();
notifyPage();
+
+addEventListener("DOMContentLoaded", e => {
+ if (ns.canScript) return;
+ for (let m of document.querySelectorAll("meta[http-equiv=refresh]")) {
+ if (/^[^,;]*[,;]url[^\w=]*=\s*data:/.test(m.getAttribute("content"))) {
+ let url = m.getAttribute("content").replace(/.*?(?=data:)/, "");
+ log(`Blocking refresh to ${url}`);
+ window.stop();
+ }
+ }
+});
diff --git a/src/lib/CSP.js b/src/lib/CSP.js
index f5a2161..ad0afa2 100644
--- a/src/lib/CSP.js
+++ b/src/lib/CSP.js
@@ -22,7 +22,7 @@ class CSP {
CSP.isEmbedType = type => /\b(?:application|video|audio)\b/.test(type) && type !== "application/xhtml+xml";
CSP.headerName = "content-security-policy";
CSP.patchDataURI = (uri, blocker) => {
- let parts = /^data:(?:[^,;]*ml)(;[^,]*)?,/i.exec(uri);
+ let parts = /^data:(?:[^,;]*ml|unknown-content-type)(;[^,]*)?,/i.exec(uri);
if (!(blocker && parts)) {
// not an interesting data: URI, return as it is
return uri;
@@ -33,6 +33,6 @@ CSP.patchDataURI = (uri, blocker) => {
}
// It's a HTML/XML page, let's prepend our CSP blocker to the document
let patch = parts[0] + encodeURIComponent(
- ``);
+ ``);
return uri.startsWith(patch) ? uri : patch + uri.substring(parts[0].length);
}
--
cgit v1.2.3