Secutiry update

Author: MrBlankCoding

README.md

@@ -53,12 +53,6 @@ node build.js
   * [ ] `GM_confirm`
   * [ ] Additional APIs as needed
 
-### Security & Permissions
-
-* [ ] Add new security settings
-* [ ] Allow scripts to load external resources
-* [ ] Ask for confirmation when a script runs on a website for the first time
-
 ### Editor
 
 * [ ] Reduce editor bundle size (~1.4 MB currently)

src/GM/gm_core.js

@@ -546,7 +546,12 @@
       });
     }
     // NEEDS HELP!
-    _handleCrossOriginXmlhttpRequest(details) {
+    async _handleCrossOriginXmlhttpRequest(details) {
+      const settings = await this.bridge.call("getSettings");
+      if (!settings.allowExternalResources) {
+        throw new Error("GM_xmlhttpRequest: Cross-origin requests are disabled by a security setting.");
+      }
+
       const callbacks = {};
       const cloneableDetails = {};
 
@@ -559,7 +564,17 @@
       });
 
       return this.bridge.call("xmlhttpRequest", { details: cloneableDetails })
-        .then((response) => {
+        .then(async (response) => {
+          if (response && cloneableDetails.responseType === 'blob' && response.response && typeof response.response === 'string' && response.response.startsWith('data:')) {
+            try {
+              const res = await fetch(response.response);
+              const blob = await res.blob();
+              response.response = blob;
+            } catch (e) {
+              console.error("CodeTweak: Failed to reconstruct blob from data URL.", e);
+            }
+          }
+
           if (callbacks.onload) {
             try {
               callbacks.onload(response);
@@ -596,7 +611,6 @@
     }
   }
 
-  // I feel like we could move this to its own independent file
   async function executeUserScriptWithDependencies(userCode, scriptId, requireUrls, loader) {
     // Set up error collection
     const errorHandler = (event) => {

src/background/background.js

@@ -194,6 +194,12 @@ async function handleGreasyForkInstall(url) {
 }
 
 async function handleCrossOriginXmlhttpRequest(details, tabId, sendResponse) {
+  const { settings = {} } = await chrome.storage.local.get("settings");
+  if (!settings.allowExternalResources) {
+    sendResponse({ error: "Cross-origin requests are disabled by a security setting." });
+    return;
+  }
+
   const { url, method = "GET", headers, data } = details;
 
   if (!url) {
@@ -333,7 +339,12 @@ chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
     }
     const { action, ...payload } = message.payload;
 
-    if (action === "xmlhttpRequest") {
+    if (action === "getSettings") {
+      chrome.storage.local.get("settings").then(({ settings = {} }) => {
+        sendResponse({ result: settings });
+      });
+      return true;
+    } else if (action === "xmlhttpRequest") {
       // Still not working properly....
       handleCrossOriginXmlhttpRequest(payload.details, sender.tab.id, sendResponse);
       return true;

src/dashboard/dashboard-logic.js

@@ -118,7 +118,8 @@ async function loadSettings(settingsElements) {
       enableAllScripts: true,
       showNotifications: true,
       confirmBeforeRunning: false,
-
+      allowExternalResources: true,
+      confirmFirstRun: false,
     };
 
     // Apply defaults and update storage if needed

src/dashboard/dashboard.html

@@ -116,6 +116,23 @@ <h3>General</h3>
                 </span>
               </label>
             </div>
+            <div class="settings-group">
+              <h3>Security</h3>
+              <label class="setting-item">
+                <input type="checkbox" id="allowExternalResources">
+                <span class="setting-label">
+                  <strong>Allow external resources</strong>
+                  <small>Allow scripts to load resources from external URLs</small>
+                </span>
+              </label>
+              <label class="setting-item">
+                <input type="checkbox" id="confirmFirstRun">
+                <span class="setting-label">
+                  <strong>Confirm first run</strong>
+                  <small>Ask for confirmation before a script runs on a website for the first time</small>
+                </span>
+              </label>
+            </div>
             <div class="settings-actions">
               <button type="submit" class="btn-primary">Save Settings</button>
               <button type="reset" class="btn-secondary">Reset Defaults</button>

src/dashboard/dashboard.js

@@ -16,6 +16,7 @@ function initDashboard() {
     scriptsTable: document.getElementById("scriptsTable"),
     scriptsList: document.getElementById("scriptsList"),
     emptyState: document.getElementById("emptyState"),
+    settingsForm: document.getElementById("settingsForm"),
     saveSettingsBtn: document.getElementById("saveSettingsBtn"),
     resetSettingsBtn: document.getElementById("resetSettingsBtn"),
     exportAllBtn: document.getElementById("exportAllBtn"),
@@ -32,6 +33,8 @@ function initDashboard() {
       enableAllScripts: document.getElementById("enableAllScripts"),
       showNotifications: document.getElementById("showNotifications"),
       darkMode: document.getElementById("darkMode"),
+      allowExternalResources: document.getElementById("allowExternalResources"),
+      confirmFirstRun: document.getElementById("confirmFirstRun"),
     },
     greasyfork: {
       button: document.getElementById("greasyforkBtn"),
@@ -76,9 +79,10 @@ function setupEventListeners(elements, state) {
     window.location.href = chrome.runtime.getURL("editor/editor.html");
   });
 
-  elements.saveSettingsBtn?.addEventListener("click", () =>
-    saveSettings(elements.settings)
-  );
+  elements.settingsForm?.addEventListener("submit", (e) => {
+    e.preventDefault();
+    saveSettings(elements.settings);
+  });
 
   elements.resetSettingsBtn?.addEventListener("click", () => {
     showNotification("Settings reset to defaults", "success");

src/utils/inject.js

@@ -388,12 +388,144 @@ class ScriptInjector {
     const newScripts = matchingScripts.filter(
       (script) => !tabScripts.has(script.id)
     );
-    for (const script of newScripts) {
-      tabScripts.add(script.id);
-      await this.injectScript(tabId, script, settings);
+
+    if (settings.confirmFirstRun) {
+      const { scriptPermissions = {} } = await chrome.storage.local.get(
+        "scriptPermissions"
+      );
+      const domain = new URL(url).hostname;
+
+      for (const script of newScripts) {
+        const allowedDomains = scriptPermissions[script.id] || [];
+        if (allowedDomains.includes(domain)) {
+          tabScripts.add(script.id);
+          await this.injectScript(tabId, script, settings);
+        } else {
+          const confirmed = await this.askForConfirmation(
+            tabId,
+            script.name,
+            domain
+          );
+          if (confirmed) {
+            allowedDomains.push(domain);
+            scriptPermissions[script.id] = allowedDomains;
+            await chrome.storage.local.set({ scriptPermissions });
+            tabScripts.add(script.id);
+            await this.injectScript(tabId, script, settings);
+          }
+        }
+      }
+    } else {
+      for (const script of newScripts) {
+        tabScripts.add(script.id);
+        await this.injectScript(tabId, script, settings);
+      }
     }
   }
 
+  async askForConfirmation(tabId, scriptName, domain) {
+    const results = await chrome.scripting.executeScript({
+      target: { tabId },
+      world: "MAIN",
+      func: (scriptName, domain) => {
+        return new Promise((resolve) => {
+          const container = document.createElement("div");
+          container.id = "codetweak-confirm-container";
+
+          const shadow = container.attachShadow({ mode: "open" });
+
+          const style = document.createElement("style");
+          style.textContent = `
+            :host {
+              position: fixed;
+              top: 0;
+              left: 0;
+              width: 100%;
+              height: 100%;
+              background-color: rgba(0, 0, 0, 0.5);
+              z-index: 2147483647;
+              display: flex;
+              justify-content: center;
+              align-items: center;
+              font-family: sans-serif;
+            }
+            .modal {
+              background: white;
+              padding: 20px;
+              border-radius: 8px;
+              box-shadow: 0 5px 15px rgba(0, 0, 0, 0.3);
+              width: 400px;
+              max-width: 90%;
+            }
+            h3 {
+              margin-top: 0;
+              color: #333;
+            }
+            p {
+              color: #555;
+            }
+            .buttons {
+              text-align: right;
+              margin-top: 20px;
+            }
+            button {
+              padding: 10px 20px;
+              border: none;
+              border-radius: 5px;
+              cursor: pointer;
+              margin-left: 10px;
+            }
+            #allow-btn {
+              background-color: #28a745;
+              color: white;
+            }
+            #deny-btn {
+              background-color: #dc3545;
+              color: white;
+            }
+          `;
+
+          const modal = document.createElement("div");
+          modal.className = "modal";
+          modal.innerHTML = `
+            <h3>CodeTweak Script Confirmation</h3>
+            <p>Allow "<strong></strong>" to run on <strong></strong>?</p>
+            <div class="buttons">
+              <button id="deny-btn">Deny</button>
+              <button id="allow-btn">Allow</button>
+            </div>
+          `;
+          const strongs = modal.querySelectorAll("strong");
+          strongs[0].textContent = scriptName;
+          strongs[1].textContent = domain;
+
+          shadow.appendChild(style);
+          shadow.appendChild(modal);
+
+          document.body.appendChild(container);
+
+          const cleanup = () => {
+            if (container.parentNode) {
+              container.parentNode.removeChild(container);
+            }
+          };
+
+          shadow.getElementById("allow-btn").addEventListener("click", () => {
+            cleanup();
+            resolve(true);
+          });
+
+          shadow.getElementById("deny-btn").addEventListener("click", () => {
+            cleanup();
+            resolve(false);
+          });
+        });
+      },
+      args: [scriptName, domain],
+    });
+    return results[0].result;
+  }
+
   showNotification(tabId, scriptName) {
     chrome.scripting
       .executeScript({