mirror of
https://github.com/gorhill/uBlock.git
synced 2024-10-02 23:57:10 +02:00
Use unspoofable Messenger.origin to determine privilege level of ports
Related issue: - https://github.com/uBlockOrigin/uBlock-issues/issues/1992
This commit is contained in:
parent
3154ed1bac
commit
e1e2ba3d5d
@ -824,12 +824,18 @@ browser.browserAction.onClicked.addListener(function(tab) {
|
|||||||
// content scripts. Whether a message can trigger a privileged operation is
|
// content scripts. Whether a message can trigger a privileged operation is
|
||||||
// decided based on whether the port from which a message is received is
|
// decided based on whether the port from which a message is received is
|
||||||
// privileged, which is a status evaluated once, at port connection time.
|
// privileged, which is a status evaluated once, at port connection time.
|
||||||
|
//
|
||||||
|
// https://github.com/uBlockOrigin/uBlock-issues/issues/1992
|
||||||
|
// If present, use MessageSender.origin to determine whether the port is
|
||||||
|
// from a privileged page, otherwise use MessageSender.url.
|
||||||
|
// MessageSender.origin is more reliable as it is not spoofable by a
|
||||||
|
// compromised renderer.
|
||||||
|
|
||||||
vAPI.messaging = {
|
vAPI.messaging = {
|
||||||
ports: new Map(),
|
ports: new Map(),
|
||||||
listeners: new Map(),
|
listeners: new Map(),
|
||||||
defaultHandler: null,
|
defaultHandler: null,
|
||||||
PRIVILEGED_URL: vAPI.getURL(''),
|
PRIVILEGED_ORIGIN: vAPI.getURL('').slice(0, -1),
|
||||||
NOOPFUNC: function(){},
|
NOOPFUNC: function(){},
|
||||||
UNHANDLED: 'vAPI.messaging.notHandled',
|
UNHANDLED: 'vAPI.messaging.notHandled',
|
||||||
|
|
||||||
@ -855,10 +861,12 @@ vAPI.messaging = {
|
|||||||
);
|
);
|
||||||
const portDetails = { port };
|
const portDetails = { port };
|
||||||
const sender = port.sender;
|
const sender = port.sender;
|
||||||
const { tab, url } = sender;
|
const { origin, tab, url } = sender;
|
||||||
portDetails.frameId = sender.frameId;
|
portDetails.frameId = sender.frameId;
|
||||||
portDetails.frameURL = url;
|
portDetails.frameURL = url;
|
||||||
portDetails.privileged = url.startsWith(this.PRIVILEGED_URL);
|
portDetails.privileged =
|
||||||
|
origin !== undefined && origin === this.PRIVILEGED_ORIGIN ||
|
||||||
|
origin === undefined && url.startsWith(this.PRIVILEGED_ORIGIN);
|
||||||
if ( tab ) {
|
if ( tab ) {
|
||||||
portDetails.tabId = tab.id;
|
portDetails.tabId = tab.id;
|
||||||
portDetails.tabURL = tab.url;
|
portDetails.tabURL = tab.url;
|
||||||
|
Loading…
Reference in New Issue
Block a user