Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code
Issues
All Issues

Side by Side Diff: inject.preload.js

Issue 29586710: Issue 5382 - Wrap DOM mutation APIs to protect frames (Closed) Base URL: https://hg.adblockplus.org/adblockpluschrome/
Patch Set: Rebase Created Feb. 21, 2018, 4:30 p.m.
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * This file is part of Adblock Plus <https://adblockplus.org/>, 2 * This file is part of Adblock Plus <https://adblockplus.org/>,
3 * Copyright (C) 2006-present eyeo GmbH 3 * Copyright (C) 2006-present eyeo GmbH
4 * 4 *
5 * Adblock Plus is free software: you can redistribute it and/or modify 5 * Adblock Plus is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 3 as 6 * it under the terms of the GNU General Public License version 3 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 * 8 *
9 * Adblock Plus is distributed in the hope that it will be useful, 9 * Adblock Plus is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after
65 contentWindow[eventName] = checkRequest; 65 contentWindow[eventName] = checkRequest;
66 contentWindow.eval( 66 contentWindow.eval(
67 "(" + injectedToString() + ")('" + eventName + "', true);" 67 "(" + injectedToString() + ")('" + eventName + "', true);"
68 ); 68 );
69 delete contentWindow[eventName]; 69 delete contentWindow[eventName];
70 } 70 }
71 catch (e) {} 71 catch (e) {}
72 } 72 }
73 } 73 }
74 74
75 for (let element of [HTMLFrameElement, HTMLIFrameElement, HTMLObjectElement]) 75 function injectIntoAllFrames()
76 { 76 {
77 let contentDocumentDesc = Object.getOwnPropertyDescriptor( 77 for (let i = 0; i < window.length; i++)
78 element.prototype, "contentDocument" 78 injectIntoContentWindow(window[i]);
79 ); 79 }
80 let contentWindowDesc = Object.getOwnPropertyDescriptor(
81 element.prototype, "contentWindow"
82 );
83 80
84 // Apparently in HTMLObjectElement.prototype.contentWindow does not exist 81 function wrapAPIForInjection(object, api, callback)
85 // in older versions of Chrome such as 42. 82 {
86 if (!contentWindowDesc) 83 let func = object[api];
87 continue; 84 object[api] = function(...args)
85 {
86 let returnValue = func.apply(this, args);
87 callback(returnValue);
88 return returnValue;
89 };
90 }
88 91
89 let getContentDocument = Function.prototype.call.bind( 92 function wrapPropertyAPIForInjection(object, api, method, callback)
90 contentDocumentDesc.get 93 {
91 ); 94 let descriptor = Object.getOwnPropertyDescriptor(object, api);
92 let getContentWindow = Function.prototype.call.bind( 95 wrapAPIForInjection(descriptor, method, callback);
93 contentWindowDesc.get 96 Object.defineProperty(object, api, descriptor);
94 ); 97 }
95 98
96 contentWindowDesc.get = function() 99 wrapAPIForInjection(Node.prototype, "appendChild", injectIntoAllFrames);
97 { 100 wrapAPIForInjection(Node.prototype, "insertBefore", injectIntoAllFrames);
98 let contentWindow = getContentWindow(this); 101 wrapAPIForInjection(Node.prototype, "replaceChild", injectIntoAllFrames);
99 injectIntoContentWindow(contentWindow); 102
100 return contentWindow; 103 wrapPropertyAPIForInjection(Element.prototype,
101 }; 104 "innerHTML", "set", injectIntoAllFrames);
102 contentDocumentDesc.get = function() 105
103 { 106 wrapPropertyAPIForInjection(HTMLObjectElement.prototype,
104 injectIntoContentWindow(getContentWindow(this)); 107 "contentWindow", "get", injectIntoContentWindow);
105 return getContentDocument(this); 108 wrapPropertyAPIForInjection(HTMLObjectElement.prototype,
106 }; 109 "contentDocument", "get",
107 Object.defineProperty(element.prototype, "contentWindow", 110 doc => injectIntoContentWindow(doc.defaultView));
108 contentWindowDesc);
109 Object.defineProperty(element.prototype, "contentDocument",
110 contentDocumentDesc);
111 }
112 111
113 /* 112 /*
114 * Shadow root getter wrapper 113 * Shadow root getter wrapper
115 * 114 *
116 * After creating our shadowRoot we must wrap the getter to prevent the 115 * After creating our shadowRoot we must wrap the getter to prevent the
117 * website from accessing it (#4191, #4298). This is required as a 116 * website from accessing it (#4191, #4298). This is required as a
118 * workaround for the lack of user style support in Chrome. 117 * workaround for the lack of user style support in Chrome.
119 * See https://bugs.chromium.org/p/chromium/issues/detail?id=632009&desc=2 118 * See https://bugs.chromium.org/p/chromium/issues/detail?id=632009&desc=2
120 */ 119 */
121 if ("shadowRoot" in Element.prototype) 120 if ("shadowRoot" in Element.prototype)
(...skipping 286 matching lines...) Expand 10 before | Expand all | Expand 10 after
408 // Firefox 58 only bypasses site CSPs when assigning to 'src'. 407 // Firefox 58 only bypasses site CSPs when assigning to 'src'.
409 let url = URL.createObjectURL(new Blob([ 408 let url = URL.createObjectURL(new Blob([
410 "(" + injected + ")('" + randomEventName + "');" 409 "(" + injected + ")('" + randomEventName + "');"
411 ])); 410 ]));
412 script.src = url; 411 script.src = url;
413 document.documentElement.appendChild(script); 412 document.documentElement.appendChild(script);
414 document.documentElement.removeChild(script); 413 document.documentElement.removeChild(script);
415 URL.revokeObjectURL(url); 414 URL.revokeObjectURL(url);
416 } 415 }
417 } 416 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld