Mirror
/
nuTensor
mirror of https://github.com/geekprojects/nuTensor.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

code review following feedback: 821e45751a (commitcomment-26587989)

pull/2/head
Raymond Hill 7 years ago
parent
35ddcc80eb
commit
6df5e5212c
No known key found for this signature in database GPG Key ID: 25E1490B761470C2
5 changed files with 24 additions and 44 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      src/css/popup.css
  2. 2
      src/js/background.js
  3. 56
      src/js/contentscript-start.js
  4. 6
      src/js/contentscript.js
  5. 2
      src/js/traffic.js

2
src/css/popup.css
View File

@ -129,7 +129,7 @@ body .toolbar button.fa {
stroke: none;
}
#mtxSwitches > li.relevant > svg .dot {
fill: #888;
fill: #aaa;
}
#mtxSwitches > li.switchTrue.relevant > svg .dot {
fill: #eee;

2
src/js/background.js
View File

@ -110,7 +110,7 @@ return {
},
clearBrowserCacheCycle: 0,
cspNoInlineScript: "script-src 'unsafe-eval' blob: *; report-uri about:blank",
cspNoInlineScript: "script-src 'unsafe-eval' blob: *",
cspNoWorker: undefined,
updateAssetsEvery: 11 * oneDay + 1 * oneHour + 1 * oneMinute + 1 * oneSecond,
firstUpdateAfter: 11 * oneMinute,

56
src/js/contentscript-start.js
View File

@ -30,11 +30,9 @@
if ( typeof vAPI !== 'object' ) { return; }
vAPI.selfScriptSrcReported = vAPI.selfScriptSrcReported || false;
vAPI.selfWorkerSrcReported = vAPI.selfWorkerSrcReported || false;
var reBadScriptSrc = /script-src[^;,]+?'(?:unsafe-inline|nonce-[^']+)'/,
reGoodWorkerSrc = /(?:child|worker)-src[^;,]+?'none'/;
var reGoodWorkerSrc = /(?:child|worker)-src[^;,]+?'none'/;
var handler = function(ev) {
if (
@ -44,54 +42,38 @@
return false;
}
// We do not want to report internal resources more than once.
// However, we do want to report external resources each time.
// TODO: this could eventually lead to duplicated reports for external
// resources if another extension uses the same approach as
// uMatrix. Think about what could be done to avoid duplicate
// reports.
var internal = ev.blockedURI.includes('://') === false;
// Firefox and Chromium differs in how they fill the
// 'effectiveDirective' property. Need to normalize here.
var directive = ev.effectiveDirective;
if ( directive.startsWith('script-src') ) {
if ( internal && vAPI.selfScriptSrcReported ) { return true; }
directive = 'script-src';
} else if (
directive.startsWith('worker-src') ||
directive.startsWith('child-src')
// 'effectiveDirective' property.
if (
ev.effectiveDirective.startsWith('worker-src') === false &&
ev.effectiveDirective.startsWith('child-src') === false
) {
if ( internal && vAPI.selfWorkerSrcReported ) { return true; }
directive = 'worker-src';
} else {
return false;
}
// Further validate that the policy violation is relevant to uMatrix:
// the event still could have been fired as a result of a CSP header
// not injected by uMatrix.
if ( directive === 'script-src' ) {
if ( reBadScriptSrc.test(ev.originalPolicy) === true ) {
return false;
}
if ( internal ) {
vAPI.selfScriptSrcReported = true;
}
} else /* if ( directive === 'worker-src' ) */ {
if ( reGoodWorkerSrc.test(ev.originalPolicy) === false ) {
return false;
}
if ( internal ) {
vAPI.selfWorkerSrcReported = true;
}
if ( reGoodWorkerSrc.test(ev.originalPolicy) === false ) {
return false;
}
// We do not want to report internal resources more than once.
// However, we do want to report external resources each time.
// TODO: this could eventually lead to duplicated reports for external
// resources if another extension uses the same approach as
// uMatrix. Think about what could be done to avoid duplicate
// reports.
if ( ev.blockedURI.includes('://') === false ) {
if ( vAPI.selfWorkerSrcReported ) { return true; }
vAPI.selfWorkerSrcReported = true;
}
vAPI.messaging.send(
'contentscript.js',
{
what: 'securityPolicyViolation',
directive: directive,
directive: 'worker-src',
blockedURI: ev.blockedURI,
documentURI: ev.documentURI,
blocked: ev.disposition === 'enforce'

6
src/js/contentscript.js
View File

@ -408,15 +408,15 @@ var collapser = (function() {
(function() {
if (
vAPI.selfScriptSrcReported !== true &&
document.querySelector('script:not([src])') !== null
document.querySelector('script:not([src])') !== null ||
document.querySelector('a[href^="javascript:"]') !== null ||
document.querySelector('[onabort],[onblur],[oncancel],[oncanplay],[oncanplaythrough],[onchange],[onclick],[onclose],[oncontextmenu],[oncuechange],[ondblclick],[ondrag],[ondragend],[ondragenter],[ondragexit],[ondragleave],[ondragover],[ondragstart],[ondrop],[ondurationchange],[onemptied],[onended],[onerror],[onfocus],[oninput],[oninvalid],[onkeydown],[onkeypress],[onkeyup],[onload],[onloadeddata],[onloadedmetadata],[onloadstart],[onmousedown],[onmouseenter],[onmouseleave],[onmousemove],[onmouseout],[onmouseover],[onmouseup],[onwheel],[onpause],[onplay],[onplaying],[onprogress],[onratechange],[onreset],[onresize],[onscroll],[onseeked],[onseeking],[onselect],[onshow],[onstalled],[onsubmit],[onsuspend],[ontimeupdate],[ontoggle],[onvolumechange],[onwaiting],[onafterprint],[onbeforeprint],[onbeforeunload],[onhashchange],[onlanguagechange],[onmessage],[onoffline],[ononline],[onpagehide],[onpageshow],[onrejectionhandled],[onpopstate],[onstorage],[onunhandledrejection],[onunload],[oncopy],[oncut],[onpaste]') !== null
) {
vAPI.messaging.send('contentscript.js', {
what: 'securityPolicyViolation',
directive: 'script-src',
documentURI: window.location.href
});
vAPI.selfScriptSrcReported = true;
}
collapser.addMany(document.querySelectorAll('img'));

2
src/js/traffic.js
View File

@ -310,8 +310,6 @@ var onHeadersReceived = function(details) {
// blocked by our request handler.
if ( µm.mustAllow(rootHostname, requestHostname, 'script' ) !== true ) {
csp.push(µm.cspNoInlineScript);
} else {
cspReport.push(µm.cspNoInlineScript);
}
// TODO: Firefox will eventually support `worker-src`:

Write Preview
Loading…
Cancel
Save