inject.preload.js - Issue 29451568: Issue 4494 - Avoid causing some sandbox related warnings

Side by Side Diff: inject.preload.js

Issue 29451568: Issue 4494 - Avoid causing some sandbox related warnings (Closed)

Patch Set: Created May 30, 2017, 9:22 a.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-2017 eyeo GmbH	3 * Copyright (C) 2006-2017 eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

(...skipping 369 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
380 RealRTCPeerConnection.prototype.constructor = boundWrappedRTCPeerConnection;	380 RealRTCPeerConnection.prototype.constructor = boundWrappedRTCPeerConnection;

381	381

382 if ("RTCPeerConnection" in window)	382 if ("RTCPeerConnection" in window)

383 window.RTCPeerConnection = boundWrappedRTCPeerConnection;	383 window.RTCPeerConnection = boundWrappedRTCPeerConnection;

384 if ("webkitRTCPeerConnection" in window)	384 if ("webkitRTCPeerConnection" in window)

385 window.webkitRTCPeerConnection = boundWrappedRTCPeerConnection;	385 window.webkitRTCPeerConnection = boundWrappedRTCPeerConnection;

386 }	386 }

387	387

388 if (document instanceof HTMLDocument)	388 if (document instanceof HTMLDocument)

389 {	389 {

390 let script = document.createElement("script");	390 let sandbox = window.frameElement &&

391 script.type = "application/javascript";	391 window.frameElement.getAttribute("sandbox");
	Sebastian Noack 2017/05/30 09:41:16 Nit: The indentation looks a bit off here. Nit: The indentation looks a bit off here. kzar 2017/05/30 10:20:31 Done. Show quoted text On 2017/05/30 09:41:16, Sebastian Noack wrote: > Nit: The indentation looks a bit off here. Done.
392 script.async = false;	392 if (typeof sandbox != "string" \|\| sandbox.includes("allow-scripts"))
	Sebastian Noack 2017/05/30 09:41:16 What if allow-scripts is misspelled like "allow-sc What if allow-scripts is misspelled like "allow-scriptss"? kzar 2017/05/30 10:20:31 Well a false-positive doesn't matter here, it just Show quoted text On 2017/05/30 09:41:16, Sebastian Noack wrote: > What if allow-scripts is misspelled like "allow-scriptss"? Well a false-positive doesn't matter here, it just results in the warning being displayed. Sebastian Noack 2017/05/30 10:36:46 I wonder whether we even need this check. If scrip Show quoted text On 2017/05/30 10:20:31, kzar wrote: > On 2017/05/30 09:41:16, Sebastian Noack wrote: > > What if allow-scripts is misspelled like "allow-scriptss"? > > Well a false-positive doesn't matter here, it just results in the warning being > displayed. I wonder whether we even need this check. If scripts are not allowed this code won't run anyway, right? Sebastian Noack 2017/05/30 10:43:34 Never mind. We are in the extension's content scri Show quoted text On 2017/05/30 10:36:46, Sebastian Noack wrote: > On 2017/05/30 10:20:31, kzar wrote: > > On 2017/05/30 09:41:16, Sebastian Noack wrote: > > > What if allow-scripts is misspelled like "allow-scriptss"? > > > > Well a false-positive doesn't matter here, it just results in the warning > being > > displayed. > > I wonder whether we even need this check. If scripts are not allowed this code > won't run anyway, right? Never mind. We are in the extension's content script here, I mistakenly assumed that this is part of the injected code. Anyway, what I was initially suggesting here, was to use /(^\|\s)allow-scripts($\|\s)/.test(sandbox), which would be a little more accurrate. But it's not too important. I leave it up to you. LGTM either way. kzar 2017/05/30 12:27:15 Doing some further reading I realised that window. Show quoted text On 2017/05/30 10:43:34, Sebastian Noack wrote: > Anyway, what I was initially suggesting here, was to use > /(^\|\s)allow-scripts($\|\s)/.test(sandbox), which would be a little more > accurrate. But it's not too important. I leave it up to you. LGTM either way. Doing some further reading I realised that window.frameElement.sandbox.contains("allow-scripts") would be even better. But then I realised DOMTokenList is case sensitive, so while "ALLOW-SCRIPTS" would work, we wouldn't detect it! This was really bad, giving websites a way to circumvent our wrappers. So instead I've gone with your approach, adding the case insensitive flag. Done.
393 script.textContent = "(" + injected + ")('" + randomEventName + "');";	393 {

394 document.documentElement.appendChild(script);	394 let script = document.createElement("script");

395 document.documentElement.removeChild(script);	395 script.type = "application/javascript";

	396 script.async = false;

	397 script.textContent = "(" + injected + ")('" + randomEventName + "');";

	398 document.documentElement.appendChild(script);

	399 document.documentElement.removeChild(script);

	400 }

396 }	401 }

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »