From 762367a87b33ed209ea091e880f039e3ab22a0a0 Mon Sep 17 00:00:00 2001 From: kkapsner Date: Mon, 2 Dec 2019 22:57:11 +0100 Subject: [PATCH] Added window.open protection --- lib/iframeProtection.js | 28 ++++++++++++++++++++++++++++ releaseNotes.txt | 1 + test/test.html | 6 ++++++ test/test.js | 16 ++++++++++++++++ versions/updates.json | 4 ++++ 5 files changed, 55 insertions(+) diff --git a/lib/iframeProtection.js b/lib/iframeProtection.js index dc1f838..9e1295f 100644 --- a/lib/iframeProtection.js +++ b/lib/iframeProtection.js @@ -262,6 +262,32 @@ ); } + function protectWindowOpen({window, wrappedWindow, changeProperty, singleCallback}){ + const windowOpenDescriptor = Object.getOwnPropertyDescriptor( + wrappedWindow, + "open" + ); + const windowOpen = windowOpenDescriptor.value; + const getDocument = Object.getOwnPropertyDescriptor( + window, + "document" + ).get; + changeProperty( + wrappedWindow, + "open", "value", exportFunction(function open(){ + const newWindow = arguments.length? + windowOpen.apply(this, window.Array.from(arguments)): + windowOpen.call(this); + if (newWindow){ + // if we use windowOpen from the normal window we see some SOP errors + // BUT we need the unwrapped window... + singleCallback(getDocument.call(newWindow).defaultView); + } + return newWindow; + }, window) + ); + } + scope.protect = function protect(window, wrappedWindow, singleCallback, allCallback){ const changeProperty = createChangeProperty(window); @@ -280,5 +306,7 @@ // MutationObserver does not trigger fast enough when document.write is used protectDocumentWrite(api); + + protectWindowOpen(api); }; }()); \ No newline at end of file diff --git a/releaseNotes.txt b/releaseNotes.txt index 66e2bfe..2230664 100644 --- a/releaseNotes.txt +++ b/releaseNotes.txt @@ -12,6 +12,7 @@ Version 0.5.15: - settings sanitation: added missing APIs - navigator.oscpu and navigator.buildID are undefined in non Gecko browsers - resetting the settings had undesired side effects + - added window.open protection known issues: - if a data URL is blocked the page action button does not appear diff --git a/test/test.html b/test/test.html index d3dcd01..5c4ae15 100644 --- a/test/test.html +++ b/test/test.html @@ -65,5 +65,11 @@ Hash: (isPointInPath: ) +
+

window.open Test

+
+ Hash: click anywhere to populate (isPointInPath: ) + +
\ No newline at end of file diff --git a/test/test.js b/test/test.js index 5b4ed76..7daafef 100644 --- a/test/test.js +++ b/test/test.js @@ -45,6 +45,17 @@ catch (error){console.error(error);} try {show(document.getElementById("iframe6"), dynamicIframeTest3());} catch (error){console.error(error);} + window.addEventListener("click", function windowOpenTest(){ + window.removeEventListener("click", windowOpenTest); + var newWindow = window.open("/"); + try{ + show(document.getElementById("windowOpen"), copyToDifferentDocumentTest(newWindow.document)); + } + catch (error){ + console.error(error); + } + newWindow.close(); + }); } document.querySelector("#top button").addEventListener("click", function(){ show(document.getElementById("top"), topTest()); @@ -67,6 +78,11 @@ document.querySelector("#iframe6 button").addEventListener("click", function(){ show(document.getElementById("iframe6"), dynamicIframeTest3()); }); + document.querySelector("#windowOpen button").addEventListener("click", function(){ + var newWindow = window.open("/"); + show(document.getElementById("windowOpen"), copyToDifferentDocumentTest(newWindow.document)); + newWindow.close(); + }); }()); function draw(canvas){ diff --git a/versions/updates.json b/versions/updates.json index 2d65f28..0444299 100644 --- a/versions/updates.json +++ b/versions/updates.json @@ -81,6 +81,10 @@ { "version": "0.5.15Alpha20191111", "update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-0.5.15Alpha20191111-an+fx.xpi" + }, + { + "version": "0.5.15RC1", + "update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-0.5.15RC1-an+fx.xpi" } ] }