Added window.open protection

lib/iframeProtection.js

@@ -262,6 +262,32 @@
 		);
 	}
 	
+	function protectWindowOpen({window, wrappedWindow, changeProperty, singleCallback}){
+		const windowOpenDescriptor = Object.getOwnPropertyDescriptor(
+			wrappedWindow,
+			"open"
+		);
+		const windowOpen = windowOpenDescriptor.value;
+		const getDocument = Object.getOwnPropertyDescriptor(
+			window,
+			"document"
+		).get;
+		changeProperty(
+			wrappedWindow,
+			"open", "value", exportFunction(function open(){
+				const newWindow = arguments.length?
+					windowOpen.apply(this, window.Array.from(arguments)):
+					windowOpen.call(this);
+				if (newWindow){
+					// if we use windowOpen from the normal window we see some SOP errors
+					// BUT we need the unwrapped window...
+					singleCallback(getDocument.call(newWindow).defaultView);
+				}
+				return newWindow;
+			}, window)
+		);
+	}
+	
 	scope.protect = function protect(window, wrappedWindow, singleCallback, allCallback){
 		const changeProperty = createChangeProperty(window);
 		
@@ -280,5 +306,7 @@
 		
 		// MutationObserver does not trigger fast enough when document.write is used
 		protectDocumentWrite(api);
+		
+		protectWindowOpen(api);
 	};
 }());

releaseNotes.txt

@@ -12,6 +12,7 @@ Version 0.5.15:
 		- settings sanitation: added missing APIs
 		- navigator.oscpu and navigator.buildID are undefined in non Gecko browsers
 		- resetting the settings had undesired side effects
+		- added window.open protection
 	
 	known issues:
 		- if a data URL is blocked the page action button does not appear

test/test.html

@@ -65,5 +65,11 @@
 	Hash: <span class="hash"></span> (isPointInPath: <span class="isPointInPath"></span>)
 	<button>refresh</button>
 </div>
+<div id="windowOpen">
+	<h3>window.open Test</h3>
+	<img class="display"><br>
+	Hash: <span class="hash"><i>click anywhere to populate</i></span> (isPointInPath: <span class="isPointInPath"></span>)
+	<button>refresh</button>
+</div>
 <script src="test.js"></script>
 </body></html>

test/test.js

@@ -45,6 +45,17 @@
 		catch (error){console.error(error);}
 		try {show(document.getElementById("iframe6"), dynamicIframeTest3());}
 		catch (error){console.error(error);}
+		window.addEventListener("click", function windowOpenTest(){
+			window.removeEventListener("click", windowOpenTest);
+			var newWindow = window.open("/");
+			try{
+				show(document.getElementById("windowOpen"), copyToDifferentDocumentTest(newWindow.document));
+			}
+			catch (error){
+				console.error(error);
+			}
+			newWindow.close();
+		});
 	}
 	document.querySelector("#top button").addEventListener("click", function(){
 		show(document.getElementById("top"), topTest());
@@ -67,6 +78,11 @@
 	document.querySelector("#iframe6 button").addEventListener("click", function(){
 		show(document.getElementById("iframe6"), dynamicIframeTest3());
 	});
+	document.querySelector("#windowOpen button").addEventListener("click", function(){
+		var newWindow = window.open("/");
+		show(document.getElementById("windowOpen"), copyToDifferentDocumentTest(newWindow.document));
+		newWindow.close();
+	});
 }());
 
 function draw(canvas){

versions/updates.json

@@ -81,6 +81,10 @@
 				{
 					"version": "0.5.15Alpha20191111",
 					"update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-0.5.15Alpha20191111-an+fx.xpi"
+				},
+				{
+					"version": "0.5.15RC1",
+					"update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-0.5.15RC1-an+fx.xpi"
 				}
 			]
 		}