Prevent ANY redirection to data: URIs in documents.

hackademix · hackademix · commit 5aff2e1d83cb · 2020-03-18T22:51:07.000+01:00
diff --git a/src/bg/ReportingCSP.js b/src/bg/ReportingCSP.js
@@ -35,11 +35,11 @@ function ReportingCSP(reportURI, reportGroup) {
               h.name === REPORT_TO.name && h.value === REPORT_TO.value) {
             needsReportTo = false;
           } else if (blocker && /^(Location|Refresh)$/i.test(h.name)) {
+            // neutralize any HTTP redirection to data: URLs, like Chromium
             let  url = /^R/i.test(h.name)
               ? h.value.replace(/^[^,;]*[,;]url[^\w=]*=\s*/i, "") : h.value;
-            let patched = CSP.patchDataURI(url, blocker);
-            if (patched !== url) {
-              h.value = h.value.slice(0, -url.length) + patched;
+            if (/^data:/i.test(url)) {
+              h.value = h.value.slice(0, -url.length) + "data:";
             }
           }
         }
diff --git a/src/content/content.js b/src/content/content.js
@@ -114,3 +114,14 @@ ns.on("capabilities", () => {
 
 ns.fetchPolicy();
 notifyPage();
+
+addEventListener("DOMContentLoaded", e => {
+  if (ns.canScript) return;
+  for (let m of document.querySelectorAll("meta[http-equiv=refresh]")) {
+    if (/^[^,;]*[,;]url[^\w=]*=\s*data:/.test(m.getAttribute("content"))) {
+      let url = m.getAttribute("content").replace(/.*?(?=data:)/, "");
+      log(`Blocking refresh to ${url}`);
+      window.stop();
+    }
+  }
+});
diff --git a/src/lib/CSP.js b/src/lib/CSP.js
@@ -22,7 +22,7 @@ class CSP {
 CSP.isEmbedType = type => /\b(?:application|video|audio)\b/.test(type) && type !== "application/xhtml+xml";
 CSP.headerName = "content-security-policy";
 CSP.patchDataURI = (uri, blocker) => {
-  let parts = /^data:(?:[^,;]*ml)(;[^,]*)?,/i.exec(uri);
+  let parts = /^data:(?:[^,;]*ml|unknown-content-type)(;[^,]*)?,/i.exec(uri);
   if (!(blocker && parts)) {
     // not an interesting data: URI, return as it is
     return uri;
@@ -33,6 +33,6 @@ CSP.patchDataURI = (uri, blocker) => {
   }
   // It's a HTML/XML page, let's prepend our CSP blocker to the document
   let patch = parts[0] + encodeURIComponent(
-    `<meta http-equiv="${CSP.headerName}" content="${blocker}">`);
+    `<meta http-equiv="${CSP.headerName}" content="${blocker}"/>`);
   return uri.startsWith(patch) ? uri : patch + uri.substring(parts[0].length);
 }

Original file line number	Diff line number	Diff line change
`@@ -35,11 +35,11 @@ function ReportingCSP(reportURI, reportGroup) {`
`35`	`35`	`h.name === REPORT_TO.name && h.value === REPORT_TO.value) {`
`36`	`36`	`needsReportTo = false;`
`37`	`37`	`} else if (blocker && /^(Location\|Refresh)$/i.test(h.name)) {`
	`38`	`+ // neutralize any HTTP redirection to data: URLs, like Chromium`
`38`	`39`	`let url = /^R/i.test(h.name)`
`39`	`40`	`? h.value.replace(/^[^,;][,;]url[^\w=]=\s*/i, "") : h.value;`
`40`		`- let patched = CSP.patchDataURI(url, blocker);`
`41`		`- if (patched !== url) {`
`42`		`- h.value = h.value.slice(0, -url.length) + patched;`
	`41`	`+ if (/^data:/i.test(url)) {`
	`42`	`+ h.value = h.value.slice(0, -url.length) + "data:";`
`43`	`43`	`}`
`44`	`44`	`}`
`45`	`45`	`}`