Better timing for event attributes removal/restore.

hackademix · hackademix · commit fb8fa90cb874 · 2020-08-13T09:27:09.000+02:00
diff --git a/src/content/DocumentCSP.js b/src/content/DocumentCSP.js
@@ -3,6 +3,14 @@ class DocumentCSP {
   constructor(document) {
     this.document = document;
     this.builder = new CapsCSP();
+    this.root = document.documentElement;
+  }
+
+  removeEventAttributes() {
+    console.debug("Removing event attributes"); // DEV_ONLY
+    let {root} = this;
+    this.rootAttrs = [...root.attributes].filter(a => a.name.toLowerCase().startsWith("on"));
+    for (let a of this.rootAttrs) root.removeAttributeNode(a);
   }
 
   apply(capabilities, embedding = CSP.isEmbedType(this.document.contentType)) {
@@ -46,14 +54,19 @@ class DocumentCSP {
       debug(`Failsafe <meta> CSP inserted in %s: "%s"`, document.URL, header.value);
       meta.remove();
       if (!head) parent.remove();
-      for (let a of rootAttrs) {
-        root.setAttributeNodeNS(a);
-      }
     } catch (e) {
       error(e, "Error inserting CSP %s in %s", document.URL, header && header.value);
       return false;
     }
     return true;
   }
 
+  restoreEventAttributes() {
+    if (!this.rootAttrs) return;
+    console.debug("Restoring event attributes"); // DEV_ONLY
+    let {root, rootAttrs} = this;
+    for (let a of rootAttrs) {
+      root.setAttributeNodeNS(a);
+    }
+  }
 }
diff --git a/src/content/staticNS.js b/src/content/staticNS.js
@@ -2,7 +2,8 @@
   'use strict';
   let listenersMap = new Map();
   let backlog = new Set();
-
+  let documentCSP = new DocumentCSP(document);
+  documentCSP.removeEventAttributes();
   let ns = {
     debug: true, // DEV_ONLY
     get embeddingDocument() {
@@ -94,6 +95,7 @@
         this.setup(policy);
         if (syncLoad && !localPolicy) {
           sessionStorage.setItem(localPolicyKey, JSON.stringify(policy));
+          location.reload(false);
           return;
         }
       }
@@ -129,9 +131,9 @@
       } else {
         let perms = policy.permissions;
         this.capabilities = new Set(perms.capabilities);
-        new DocumentCSP(document).apply(this.capabilities, this.embeddingDocument);
+        documentCSP.apply(this.capabilities, this.embeddingDocument);
       }
-
+      documentCSP.restoreEventAttributes();
       this.canScript = this.allows("script");
       this.fire("capabilities");
     },
