security-and-privacy/CanvasBlocker
security-and-privacy
/
CanvasBlocker
mirror of https://github.com/kkapsner/CanvasBlocker
1
0
Fork 0
Code Releases Activity

Improved protection of (i)frame properties 

Fixes #364
This commit is contained in:
kkapsner 2019-06-04 08:42:31 +02:00
parent ef1c45efab
commit c3d4a1901c
3 changed files with 45 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
lib/iframeProtection.js
View File

@ -11,43 +11,52 @@
else { else {
scope = require.register("./iframeProtection", {}); scope = require.register("./iframeProtection", {});
} }
const {getWrapped} = require("./modifiedAPIFunctions");
scope.protect = function protect(window, wrappedWindow, singleCallback, allCallback){ scope.protect = function protect(window, wrappedWindow, singleCallback, allCallback){
[window.HTMLIFrameElement, window.HTMLFrameElement].forEach(function(constructor){ ["HTMLIFrameElement", "HTMLFrameElement"].forEach(function(constructorName){
var oldContentWindowGetter = constructor.prototype.__lookupGetter__("contentWindow"); const constructor = window[constructorName];
Object.defineProperty( const wrappedConstructor = wrappedWindow[constructorName];
getWrapped(constructor.prototype),
"contentWindow", const contentWindowDescriptor = Object.getOwnPropertyDescriptor(
{ constructor.prototype,
enumerable: true, "contentWindow"
configurable: true,
get: exportFunction(function(){
var window = oldContentWindowGetter.call(this);
if (window){
singleCallback(window);
}
return window;
}, window)
}
); );
var oldContentDocumentGetter = constructor.prototype.__lookupGetter__("contentDocument"); const originalContentWindowGetter = contentWindowDescriptor.get;
Object.defineProperty( const contentWindowTemp = {
getWrapped(constructor.prototype), get contentWindow(){
"contentDocument", var window = originalContentWindowGetter.call(this);
{ if (window){
enumerable: true, singleCallback(window);
configurable: true, }
get: exportFunction(function(){ return window;
var document = oldContentDocumentGetter.call(this);
if (document){
singleCallback(document.defaultView);
}
return document;
}, window)
} }
};
contentWindowDescriptor.get = exportFunction(
Object.getOwnPropertyDescriptor(contentWindowTemp, "contentWindow").get,
window
); );
Object.defineProperty(wrappedConstructor.prototype, "contentWindow", contentWindowDescriptor);
const contentDocumentDescriptor = Object.getOwnPropertyDescriptor(
constructor.prototype,
"contentDocument"
);
const originalContentDocumentGetter = contentDocumentDescriptor.get;
const contentDocumentTemp = {
get contentDocument(){
var document = originalContentDocumentGetter.call(this);
if (document){
singleCallback(document.defaultView);
}
return document;
}
};
contentDocumentDescriptor.get = exportFunction(
Object.getOwnPropertyDescriptor(contentDocumentTemp, "contentDocument").get,
window
);
Object.defineProperty(wrappedConstructor.prototype, "contentDocument", contentDocumentDescriptor);
}); });
[ [
// useless as length could be obtained before the iframe is created and window.frames === window // useless as length could be obtained before the iframe is created and window.frames === window

2
releaseNotes.txt
View File

@ -6,7 +6,7 @@ Version 0.5.11:
- -
fixes: fixes:
- - improved protection of (i)frame properties
known issues: known issues:
- if a data URL is blocked the page action button does not appear - if a data URL is blocked the page action button does not appear

4
test/detectionTest.js
View File

@ -200,6 +200,10 @@ addTest("function name", function(log){
func: window.__lookupSetter__("name"), func: window.__lookupSetter__("name"),
expectedName: "set name" expectedName: "set name"
}, },
{
func: HTMLIFrameElement.prototype.__lookupGetter__("contentDocument"),
expectedName: "get contentDocument"
},
].map(checkName).some(function(b){return b;}); ].map(checkName).some(function(b){return b;});
}); });
addTest("property descriptor", function(log){ addTest("property descriptor", function(log){