Added protection for window.name and window.opener

As requested by #231. But this protection is disabled by default.
2025-07-04 04:26:35 +02:00 · 2018-08-27 00:33:39 +02:00 · 2018-08-27 00:33:39 +02:00 · 83efac5e49
commit 83efac5e49
parent fd7c4fabbd
13 changed files with 195 additions and 2 deletions
--- a/lib/askForPermission.js
+++ b/lib/askForPermission.js
@ -88,6 +88,7 @@
 						nocanvas: _("askForPermission"),
 						audio: _("askForAudioPermission"),
 						history: _("askForHistoryPermission"),
+						window: _("askForWindowPermission")
 					},
 					askStatus: {
 						alreadyAsked: {},
@ -101,6 +102,7 @@
 						nocanvas: _("askForInputPermission"),
 						audio: _("askForAudioInputPermission"),
 						history: _("askForHistoryInputPermission"),
+						window: _("askForWindowInputPermission")
 					},
 					askStatus: {
 						alreadyAsked: {},
@ -114,6 +116,7 @@
 						nocanvas: _("askForReadoutPermission"),
 						audio: _("askForAudioReadoutPermission"),
 						history: _("askForHistoryReadoutPermission"),
+						window: _("askForWindowReadoutPermission")
 					},
 					askStatus: {
 						alreadyAsked: {},
--- a/lib/modifiedAPI.js
+++ b/lib/modifiedAPI.js
@ -487,4 +487,5 @@
 	}
 	appendModified(modifiedAudioAPI);
 	appendModified(require("./modifiedHistoryAPI"));
+	appendModified(require("./modifiedWindowAPI"));
 }());
--- a/lib/modifiedWindowAPI.js
+++ b/lib/modifiedWindowAPI.js
@ -0,0 +1,87 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+(function(){
+	"use strict";
+	
+	var scope;
+	if ((typeof exports) !== "undefined"){
+		scope = exports;
+	}
+	else {
+		window.scope.modifiedWindowAPI = {};
+		scope = window.scope.modifiedWindowAPI;
+	}
+	
+	const {hasType, checkerWrapper} = require("./modifiedAPIFunctions");
+	
+	const windowNames = new WeakMap();
+	scope.changedGetters = [
+		{
+			objectGetters: [function(window){return window;}],
+			name: "opener",
+			getterGenerator: function(checker){
+				const temp = {
+					get opener(){
+						return checkerWrapper(checker, this, arguments, function(args, check){
+							const {prefs, notify, window, original} = check;
+							if (!prefs("protectWindow", window.location)){
+								return original.apply(this, window.Array.from(args));
+							}
+							const originalOpener = original.apply(this, window.Array.from(args));
+							if (originalOpener !== null){
+								notify("fakedWindowReadout");
+							}
+							return null;
+						});
+					}
+				};
+				return Object.getOwnPropertyDescriptor(temp, "opener").get;
+			}
+		},
+		{
+			objectGetters: [function(window){return window;}],
+			name: "name",
+			getterGenerator: function(checker){
+				const temp = {
+					get name(){
+						return checkerWrapper(checker, this, arguments, function(args, check){
+							const {prefs, notify, window, original} = check;
+							if (!prefs("protectWindow", window.location)){
+								return original.apply(this, window.Array.from(args));
+							}
+							const originalName = original.apply(this, window.Array.from(args));
+							const returnedName = windowNames.get(window) || "";
+							if (originalName !== returnedName){
+								notify("fakedWindowReadout");
+							}
+							return returnedName;
+						});
+					}
+				};
+				return Object.getOwnPropertyDescriptor(temp, "name").get;
+			},
+			setterGenerator: function(window, original){
+				const temp = {
+					set name(name){
+						original.apply(this, window.Array.from(arguments));
+						windowNames.set(window, name);
+					}
+				};
+				return Object.getOwnPropertyDescriptor(temp, "name").set;
+			}
+		}
+	];
+	
+	function getStatus(obj, status){
+		status = Object.create(status);
+		status.active = hasType(status, "readout");
+		return status;
+	}
+	
+	scope.changedGetters.forEach(function(changedGetter){
+		changedGetter.type = "readout";
+		changedGetter.getStatus = getStatus;
+		changedGetter.api = "window";
+	});
+}());
--- a/lib/settingDefinitions.js
+++ b/lib/settingDefinitions.js
@ -92,6 +92,9 @@
 				"getFrequencyResponse",
 				{name: "History-API", level: 1},
 				"length",
+				{name: "Window-API", level: 1},
+				"opener",
+				"name",
 			],
 			defaultKeyValue: false
 		},
@ -191,6 +194,7 @@
 				"canvas",
 				"audio",
 				"history",
+				"window",
 			],
 			defaultKeyValue: false
 		},
@ -243,6 +247,11 @@
 			name: "historyLengthThreshold",
 			defaultValue: 2
 		},
+		{
+			name: "protectWindow",
+			defaultValue: false,
+			urlSpecific: true
+		},
 		{
 			name: "blockDataURLs",
 			defaultValue: true