Simpler and more reliable sendSyncMessage implementation and usage.

hackademix · hackademix · commit 4cf7b231a7d7 · 2020-08-10T23:12:00.000+02:00
diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js
@@ -444,6 +444,10 @@ var RequestGuard = (() => {
             capabilities && !capabilities.has("script"));
         }
         let header = csp.patchHeaders(responseHeaders, capabilities);
+        /*
+        // Uncomment me to disable networking-level CSP for debugging purposes
+        header = null;
+        */
         if (header) {
           pending.cspHeader = header;
           debug(`CSP blocker on %s:`, url, header.value);
diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js
@@ -8,13 +8,17 @@ class DocumentCSP {
 
   apply(capabilities, embedding = CSP.isEmbedType(this.document.contentType)) {
     let {document} = this;
+    if (!capabilities.has("script")) {
+      // safety net for XML (especially SVG) documents and synchronous scripts running
+      // while inserting the CSP <meta> element.
+      document.defaultView.addEventListener("beforescriptexecute", e => {
+        if (!e.isTrusted) return;
+        e.preventDefault();
+        debug("Fallback beforexecutescript listener blocked ", e.target);
+      }, true);
+    }
     if (!(document instanceof HTMLDocument)) {
       // this is not HTML, hence we cannot inject a <meta> CSP
-      if (!capabilities.has("script")) {
-        // safety net for XML (especially SVG) documents
-        document.defaultView.addEventListener("beforescriptexecute",
-          e => e.preventDefault(), true);
-      }
       return false;
     }
     let csp = this.builder;
diff --git a/src/content/staticNS.js b/src/content/staticNS.js
@@ -82,17 +82,6 @@
             error(e, "Could not setup local policy", localPolicy);
           }
         }
-
-        addEventListener("beforescriptexecute", e => {
-          if (!e.isTrusted) return;
-          // safety net for synchronous loads on Firefox
-          if (!this.canScript) {
-            e.preventDefault();
-            let script = e.target;
-            blockedScripts.push(script)
-            log("Some script managed to be inserted in the DOM while fetching policy, blocking it.\n", script);
-          }
-        }, true);
       }
 
       let policy = null;
@@ -125,8 +114,8 @@
       for (;;) {
         try {
           policy = browser.runtime.sendSyncMessage(
-            {id: "fetchPolicy", url, contextUrl: url}, 
-            {callback: setup, canScript: () => ns.canScript});
+            {id: "fetchPolicy", url, contextUrl: url},
+            setup);
           break;
         } catch (e) {
           if (!Messages.isMissingEndpoint(e)) {
diff --git a/src/lib/SyncMessage.js b/src/lib/SyncMessage.js
@@ -21,7 +21,7 @@
           let unsuspend = result => {
             pending.delete(id);
             if (wrapper.unsuspend) {
-              setTimeout(wrapper.unsuspend, 0);
+              wrapper.unsuspend();
             }
             return result;
           }
@@ -31,7 +31,11 @@
             unsuspend();
             throw e;
           }
-          console.debug("sendSyncMessage: returning", result);
+          /*
+          // Uncomment me to add artificial delay for debugging purposes
+          let tmpResult = result;
+          result = new Promise(resolve => setTimeout(() => resolve(tmpResult), 500));
+          */
           return (result instanceof Promise ? result
             : new Promise(resolve => resolve(result))
           ).then(result => unsuspend(result));
@@ -61,14 +65,14 @@
               let wrapper = pending.get(msgId);
               if (!wrapper.unsuspend) {
                 wrapper.unsuspend = resolve;
-                return;
               } else {
                 let {unsuspend} = wrapper;
                 wrapper.unsuspend = () => {
                   unsuspend();
                   resolve();
                 }
               }
+              return;
             }
             resolve();
           }).then(() => ret("go on"))
@@ -201,20 +205,6 @@
     let uuid = () => (Math.random() * Date.now()).toString(16);
     let docUrl = document.URL;
     browser.runtime.sendSyncMessage = (msg, callback) => {
-      // we interrogate the canScript() callback to know whether the caller
-      // wants scripts deferred by sendSyncMessage to be eventually executed:
-      // - undefined -> too soon to tell, suspend
-      // - true -> go on and execute
-      // - false -> block
-      let canScript;
-      if (callback && typeof callback === "object") {
-         ({canScript, callback} = callback);
-      }
-      if (typeof canScript !== "function") {
-        // if no canScript() callback was passed, default to execute scripts
-        canScript = () => true;
-      }
-
       let msgId = `${uuid()},${docUrl}`;
       let url = `${ENDPOINT_PREFIX}id=${encodeURIComponent(msgId)}` +
         `&url=${encodeURIComponent(docUrl)}`;
@@ -225,16 +215,19 @@
       }
 
       if (MOZILLA) {
+
         // In order to cope with inconsistencies in XHR synchronicity,
         // allowing scripts to be executed (especially with synchronous loads
         // or when other extensions manipulate the DOM early) we additionally
         // suspend on beforescriptexecute events
 
         let suspendURL = url + "&suspend=true";
         let suspended = 0;
+        let suspendedId = 0;
         let suspend = () => {
           suspended++;
-          console.debug("Suspended, count:", suspended)
+          let id = suspendedId++;
+          console.debug("sendSyncMessage suspend #%s/%s", id, suspended);
           try {
             let r = new XMLHttpRequest();
             r.open("GET", suspendURL, false);
@@ -243,63 +236,38 @@
             console.error(e);
           }
           suspended--;
-          console.debug("Unsuspended, count: ", suspended);
+          console.debug("sendSyncMessage resume #%s/%s", id, suspended);
         };
 
-        let onBeforeScript = e => {
-          if(typeof canScript() === "undefined") {
-            suspend();
-          }
-          let allowed = canScript();
-          if (typeof allowed === "undefined") {
-            console.error("sendSyncMessage: script unsuspended before canScript() is defined!", e.target);
-          }
-          if (!allowed) {
-            console.debug("sendSyncMessage blocked a script element", e.target);
-            e.preventDefault();
-          }
-        };
 
-        addEventListener("beforescriptexecute", onBeforeScript, true);
+
         let domSuspender = new MutationObserver(records => {
+          console.debug("sendSyncMessage suspending on ", records)
           suspend();
         });
         domSuspender.observe(document.documentElement, {childList: true});
 
 
-
         let finalize = () => {
+          console.debug("sendSyncMessage finalizing");
           domSuspender.disconnect();
-          removeEventListener("beforescriptexecute", onBeforeScript, true);
         };
 
         // on Firefox we first need to send an async message telling the
         // background script about the tab ID, which does not get sent
         // with "privileged" XHR
         let result;
+
         browser.runtime.sendMessage(
           {__syncMessage__: {id: msgId, payload: msg}}
         ).then(r => {
           result = r;
           if (callback) callback(r);
+          finalize();
         }).catch(e => {
           throw e;
         });
 
-
-
-        if (callback) {
-          let realCB = callback;
-          callback = r => {
-            try {
-              realCB(r);
-            } finally {
-              finalize();
-            }
-          };
-          return;
-        }
-
         try {
           suspend();
         } finally {
