security-and-privacy/CanvasBlocker
security-and-privacy
/
CanvasBlocker
mirror of https://github.com/kkapsner/CanvasBlocker
1
0
Fork 0
Code Releases Activity

Fix fields hosted on braintree when window API is protected 

Fixes #417
This commit is contained in:
kkapsner 2020-01-02 11:41:13 +01:00
parent b361733c73
commit d09340e84f
10 changed files with 89 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
_locales/de/messages.json
View File

@ -1068,7 +1068,19 @@
"description": "" "description": ""
}, },
"protectWindow_askReCaptchaException": { "protectWindow_askReCaptchaException": {
"message": "Wenn die Window-API beschützt wird, funktioniert reCAPTCHA nicht mehr. Wollen Sie dafür eine Ausnahme hinzufügen?", "message": "Wenn die Window-API beschützt wird, funktioniert reCAPTCHA nicht mehr. Wollen Sie die window.name-API in eingebetteten Seiten erlauben, damit es wieder funktioniert?",
"description": ""
},
"allowWindowNameInFrames_title": {
"message": "Erlaube window.name in Frames",
"description": ""
},
"allowWindowNameInFrames_description": {
"message": "Die window.name-API ist im Kontext eingebetteter Seiten nicht besonders gefährlich und wird dort für legitime Anwendungen (z.B. reCAPTCHA) verwendet. Diese Einstellung erlaubt die Benutzung dort.",
"description": ""
},
"allowWindowNameInFrames_urlSpecific": {
"message": "Um die für bestimmte Seiten zu erlauben, klicken Sie auf den schwarzen Pfeil um das Menü zu öffnen, fügen Sie die gewünschte Domain oder URL mit einem Klick auf \\\"+\\\" hinzu und setzen Sie das zugehörige Häkchen.",
"description": "" "description": ""
}, },
"protectDOMRect_title": { "protectDOMRect_title": {
@ -1528,7 +1540,7 @@
"description": "" "description": ""
}, },
"preset_recaptcha_description": { "preset_recaptcha_description": {
"message": "Der window-API-Schutz macht reCAPTCHA unbenutzbar. Diese Voreinstellung fügt eine Ausnahme dafür hinzu.", "message": "Der window-API-Schutz macht reCAPTCHA unbenutzbar. Diese Voreinstellung erlaubt die Benutzung der window.name-API in eingebetteten Seite. Dadurch funktioniert es wieder.",
"description": "" "description": ""
} }
} }

17
_locales/en/messages.json
View File

@ -1111,7 +1111,20 @@
"description": "" "description": ""
}, },
"protectWindow_askReCaptchaException": { "protectWindow_askReCaptchaException": {
"message": "Protecting the window API breaks reCAPTCHA. Do you want to add an exception for it?", "message": "Protecting the window API breaks reCAPTCHA. Do you want to allow the window.name API in embedded pages which will make if work again?",
"description": ""
},
"allowWindowNameInFrames_title": {
"message": "Allow window.name in frames",
"description": ""
},
"allowWindowNameInFrames_description": {
"message": "The window.name API is not that dangerous in the context of embedded pages and it is used there for legitimate reasons (e.g. reCAPTCHA). This setting will allow these usages.",
"description": ""
},
"allowWindowNameInFrames_urlSpecific": {
"message": "To allow this for specific websites, click on the black arrow to open the menu, add the domain or URL by clicking on \"+\" and set its checkmark.",
"description": "" "description": ""
}, },
@ -1591,7 +1604,7 @@
"description": "" "description": ""
}, },
"preset_recaptcha_description": { "preset_recaptcha_description": {
"message": "Protecting the window API breaks reCAPTCHA. This preset adds an exception for it to work.", "message": "Protecting the window API breaks reCAPTCHA. This preset allows the usage of the window.name API in embedded pages which will make it work again.",
"description": "" "description": ""
} }
} }

8
lib/modifiedWindowAPI.js
View File

@ -48,8 +48,14 @@
const temp = { const temp = {
get name(){ get name(){
return checkerWrapper(checker, this, arguments, function(args, check){ return checkerWrapper(checker, this, arguments, function(args, check){
const {notify, original} = check; const {notify, original, prefs} = check;
const originalName = original.call(this, ...args); const originalName = original.call(this, ...args);
if (
this !== this.top &&
prefs("allowWindowNameInFrames", this.location)
){
return originalName;
}
const returnedName = windowNames.get(this) || ""; const returnedName = windowNames.get(this) || "";
if (originalName !== returnedName){ if (originalName !== returnedName){
notify("fakedWindowReadout"); notify("fakedWindowReadout");

7
lib/settingDefinitions.js
View File

@ -321,6 +321,11 @@
defaultValue: false, defaultValue: false,
urlSpecific: true urlSpecific: true
}, },
{
name: "allowWindowNameInFrames",
defaultValue: false,
urlSpecific: true
},
{ {
name: "protectDOMRect", name: "protectDOMRect",
defaultValue: true, defaultValue: true,
@ -383,7 +388,7 @@
}, },
{ {
name: "storageVersion", name: "storageVersion",
defaultValue: 0.6, defaultValue: 1.0,
fixed: true fixed: true
} }
]; ];

23
lib/settingsMigration.js
View File

@ -15,11 +15,11 @@
const settingDefinitions = require("./settingDefinitions"); const settingDefinitions = require("./settingDefinitions");
scope.validVersions = [undefined, 0.1, 0.2, 0.3, 0.4, 0.5, 0.6]; scope.validVersions = [undefined, 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 1.0];
scope.transitions = { scope.transitions = {
"": function(){ "": function(){
return { return {
storageVersion: 0.6 storageVersion: 1.0
}; };
}, },
0.1: function(oldStorage){ 0.1: function(oldStorage){
@ -157,6 +157,25 @@
} }
return newStorage; return newStorage;
}, },
0.6: function (oldStorage){
const newStorage = {
storageVersion: 1.0
};
if (
oldStorage.hasOwnProperty("protectWindow") &&
oldStorage.protectWindow &&
oldStorage.hasOwnProperty("urlSettings") &&
Array.isArray(oldStorage.urlSettings) &&
oldStorage.urlSettings.filter(function(entry){
return entry.url === "^https://www\\.google\\.com/recaptcha/api2/(?:b?frame|anchor).*$";
}).some(function(entry){
return entry.protectWindow === false;
})
){
newStorage.allowWindowNameInFrames = true;
}
return newStorage;
}
}; };
scope.check = function(storage, {settings, logging}){ scope.check = function(storage, {settings, logging}){

37
options/options.js
View File

@ -121,6 +121,7 @@
break; break;
} }
} }
delete json.storageVersion;
const keys = Object.keys(json); const keys = Object.keys(json);
keys.forEach(function(key){ keys.forEach(function(key){
const setting = settings.getDefinition(key); const setting = settings.getDefinition(key);
@ -132,9 +133,7 @@
} }
}); });
keys.forEach(function(key){ keys.forEach(function(key){
if (key !== "storageVersion"){ settings[key] = json[key];
settings[key] = json[key];
}
}); });
}, },
resetSettings: async function(){ resetSettings: async function(){
@ -560,31 +559,17 @@
document.body.appendChild(version); document.body.appendChild(version);
settings.onloaded(function(){ settings.onloaded(function(){
const reCaptchaEntry = "^https://www\\.google\\.com/recaptcha/api2/(?:b?frame|anchor).*$";
const {url: urlContainer} = settings.getContainers();
settings.on("protectWindow", async function({newValue}){ settings.on("protectWindow", async function({newValue}){
if (newValue){ if (newValue && !settings.allowWindowNameInFrames){
const urlValue = urlContainer.get(); const addException = await modal.confirm(
const matching = urlValue.filter(function(entry){ extension.getTranslation("protectWindow_askReCaptchaException"),
return entry.url === reCaptchaEntry; {
}); node: document.querySelector("[data-storage-name=protectWindow]"),
if ( selector: ".settingRow .content"
newValue &&
(
matching.length === 0 ||
matching[0].protectWindow
)
){
const addException = await modal.confirm(
extension.getTranslation("protectWindow_askReCaptchaException"),
{
node: document.querySelector("[data-storage-name=protectWindow]"),
selector: ".settingRow .content"
}
);
if (addException){
settings.set("protectWindow", false, reCaptchaEntry);
} }
);
if (addException){
settings.set("allowWindowNameInFrames", true);
} }
} }
}); });

4
options/presets.json
View File

@ -23,8 +23,6 @@
"protectWindow": true "protectWindow": true
}, },
"recaptcha": { "recaptcha": {
"protectWindow": { "allowWindowNameInFrames": true
"^https://www\\.google\\.com/recaptcha/api2/(?:b?frame|anchor).*$": false
}
} }
} }

8
options/settingsDisplay.js
View File

@ -583,6 +583,14 @@
} }
] ]
}, },
{
"name": "allowWindowNameInFrames",
"displayDependencies": [
{
"protectWindow": [true]
}
]
},
] ]
}, },
{ {

2
releaseNotes.txt
View File

@ -4,6 +4,7 @@ Version 1.0:
- code cleanup - code cleanup
- added mail.google.com to the convenience preset - added mail.google.com to the convenience preset
- added reCAPTCHA preset - added reCAPTCHA preset
- the reCAPTCHA whitelisting entry is changed to "allow window.name in frames"
new features: new features:
- added screen protection - added screen protection
@ -18,6 +19,7 @@ Version 1.0:
- cross origin DOM manipulations - cross origin DOM manipulations
- window.name protection was detectable - window.name protection was detectable
- importing settings file with an older storage version did not work properly - importing settings file with an older storage version did not work properly
- fields hosted on braintree not working when window API was protected
known issues: known issues:
- if a data URL is blocked the page action button does not appear - if a data URL is blocked the page action button does not appear

4
versions/updates.json
View File

@ -93,6 +93,10 @@
{ {
"version": "1.0RC3", "version": "1.0RC3",
"update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-1.0RC3-an+fx.xpi" "update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-1.0RC3-an+fx.xpi"
},
{
"version": "1.0RC4",
"update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-1.0RC4-an+fx.xpi"
} }
] ]
} }