inject.preload.js - Issue 29586710: Issue 5382 - Wrap DOM mutation APIs to protect frames

Unified Diff: inject.preload.js

Issue 29586710: Issue 5382 - Wrap DOM mutation APIs to protect frames (Closed) Base URL: https://hg.adblockplus.org/adblockpluschrome/

Patch Set: Refactor Created Oct. 24, 2017, 1:39 a.m.

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: inject.preload.js

===================================================================

--- a/inject.preload.js

+++ b/inject.preload.js

@@ -67,53 +67,52 @@

"(" + injectedToString() + ")('" + eventName + "', true);"

);

delete contentWindow[eventName];

}

catch (e) {}

}

- for (let element of [HTMLFrameElement, HTMLIFrameElement, HTMLObjectElement])

+ function injectIntoAllFrames()

+ {

+ for (let i = 0; i < window.length; i++)

+ injectIntoContentWindow(window[i]);

+ }

+ function wrapAPIForInjection(object, api, callback)

{

- let contentDocumentDesc = Object.getOwnPropertyDescriptor(

- element.prototype, "contentDocument"

- );

- let contentWindowDesc = Object.getOwnPropertyDescriptor(

- element.prototype, "contentWindow"

- );

- // Apparently in HTMLObjectElement.prototype.contentWindow does not exist

- // in older versions of Chrome such as 42.

- if (!contentWindowDesc)

- continue;

+ let func = object[api];

+ object[api] = function(...args)

+ {

+ let returnValue = func.apply(this, args);

kzar 2017/12/11 08:48:13 I think func.apply could have been messed with at

Manish Jethani 2018/02/21 16:37:39 Thanks, for this one in particular now I've bound

+ callback(returnValue);

+ return returnValue;

+ };

+ }

- let getContentDocument = Function.prototype.call.bind(

- contentDocumentDesc.get

- );

- let getContentWindow = Function.prototype.call.bind(

- contentWindowDesc.get

- );

+ function wrapPropertyAPIForInjection(object, api, method, callback)

+ {

+ let descriptor = Object.getOwnPropertyDescriptor(object, api);

+ wrapAPIForInjection(descriptor, method, callback);

+ Object.defineProperty(object, api, descriptor);

+ }

- contentWindowDesc.get = function()

- {

- let contentWindow = getContentWindow(this);

- injectIntoContentWindow(contentWindow);

- return contentWindow;

- };

- contentDocumentDesc.get = function()

- {

- injectIntoContentWindow(getContentWindow(this));

- return getContentDocument(this);

- };

- Object.defineProperty(element.prototype, "contentWindow",

- contentWindowDesc);

- Object.defineProperty(element.prototype, "contentDocument",

- contentDocumentDesc);

- }

+ wrapAPIForInjection(Node.prototype, "appendChild", injectIntoAllFrames);

+ wrapAPIForInjection(Node.prototype, "insertBefore", injectIntoAllFrames);

+ wrapAPIForInjection(Node.prototype, "replaceChild", injectIntoAllFrames);

+ wrapPropertyAPIForInjection(Element.prototype,

+ "innerHTML", "set", injectIntoAllFrames);

+ wrapPropertyAPIForInjection(HTMLObjectElement.prototype,

Manish Jethani 2017/10/24 01:43:28 HTMLFrameElement and HTMLIFrameElement don't need

kzar 2017/12/11 08:48:13 Fair enough but did you check that it's OK with Ch

Manish Jethani 2018/02/21 16:37:39 I've added a check now so if the descriptor is not

+ "contentWindow", "get", injectIntoContentWindow);

+ wrapPropertyAPIForInjection(HTMLObjectElement.prototype,

+ "contentDocument", "get",

+ doc => injectIntoContentWindow(doc.defaultView));

* Shadow root getter wrapper

* After creating our shadowRoot we must wrap the getter to prevent the

* website from accessing it (#4191, #4298). This is required as a

* workaround for the lack of user style support in Chrome.

* See https://bugs.chromium.org/p/chromium/issues/detail?id=632009&desc=2

« no previous file with comments | « no previous file | no next file » | no next file with comments »