Prevent URL leaks from media placeholders (thanks NDevTK for report).

Author: hackademix

src/bg/main.js

@@ -95,7 +95,7 @@
       XSS.stop();
     }
 
-    Messages.addHandler(messageHandler);
+
 
     try {
       await Messages.send("started");
@@ -229,23 +229,20 @@
         type: "panel"
       });
     },
-    async getTheme() {
+    async getTheme(msg, {tab, frameId}) {
+      try {
+        browser.tabs.insertCSS(tab.id, {
+          code: await Themes.getContentCSS(),
+          frameId,
+          runAt: "document_start",
+          matchAboutBlank: true,
+          cssOrigin: "user",
+        });
+      } catch (e) {
+        console.error(e);
+      }
       return (await Themes.isVintage()) ? "vintage" : "";
     },
-    async fetchResource({url}) {
-      url = browser.runtime.getURL(url);
-      const blob = await (await fetch(url)).blob();
-      return new Promise((resolve, reject) => {
-        const reader = new FileReader();
-        reader.onload = e => {
-          resolve(reader.result);
-        };
-        reader.onerror = e => {
-          reject(reader.error);
-        };
-        reader.readAsDataURL(blob);
-      });
-    },
 
     async promptHook(msg, {tabId}) {
       await browser.tabs.executeScript(tabId, {
@@ -262,6 +259,7 @@
       await TabGuard.reloadNormally(tabId);
     }
   };
+  Messages.addHandler(messageHandler);
 
   function onSyncMessage(msg, sender) {
     switch(msg.id) {

src/common/themes.js

@@ -62,6 +62,7 @@
     addEventListener("load", onload, true);
   }
 
+  let contentCSS;
 
   let root = document.documentElement;
   root.classList.add(PARENT_CLASS);
@@ -141,6 +142,43 @@
       return b;
     },
 
+    async getContentCSS() {
+      contentCSS = contentCSS || (async () => {
+        const replaceAsync = async (string, regexp, replacerFunction) => {
+          const replacements = await Promise.all(
+              Array.from(string.matchAll(regexp),
+                  match => replacerFunction(...match)));
+          let i = 0;
+          return string.replace(regexp, () => replacements[i++]);
+        }
+        const fetchAsDataURL = async (url) => {
+          const blob = await (await fetch(browser.runtime.getURL(url))).blob();
+          return new Promise((resolve, reject) => {
+            const reader = new FileReader();
+            reader.onload = e => {
+              resolve(reader.result);
+            };
+            reader.onerror = e => {
+              reject(reader.error);
+            };
+            reader.readAsDataURL(blob);
+          });
+        }
+        const fetchAsText = async (url) => await (await fetch(browser.runtime.getURL(url))).text();
+
+        const themesCSS = (await replaceAsync(await fetchAsText("/common/themes.css"),
+            /(--img-logo:.*url\("?)(.*\.svg)"?/g,
+            async (s, prop, url) => `${prop}"${await fetchAsDataURL(url)}"`
+          ))
+          .replace(/.*\burl\(\.*\/.*\n/g, '')
+          .replace(/\/\*[^]*?\*\//g, '')
+          .replace(/\n+/g, "\n");
+        return (await fetchAsText("/content/content.css"))
+          .replace(/\b(THEMES_START\b.*\n)[^]*(\n.*\bTHEMES_END)\b/g,
+                  `$1${themesCSS}$2`);
+      })();
+      return await contentCSS;
+    }
   };
 
   (async () => {

src/content/content.css

@@ -4,6 +4,15 @@
  * SPDX-License-Identifier: GPL-3.0-or-later
  */
 
+ /* THEMES_START */
+
+/*
+  This section gets replaced at runtime with an extract of /themes/themes.css
+  stripped of all the references to extension URLs.
+*/
+
+ /* THEMES_END */
+
 a.__NoScript_PlaceHolder__ {
   outline: 2px solid --var(--accent-color);
   color: var(--text-color) !important;
@@ -15,7 +24,7 @@ a.__NoScript_PlaceHolder__ {
   cursor: pointer;
   opacity: 0.8;
   z-index: 2147483647 !important;
-  background-image: none;
+  background-image: var(--img-logo);
 }
 
 a.__NoScript_PlaceHolder__.mozilla {

src/manifest.json

@@ -73,15 +73,6 @@
   },
 
   "content_scripts": [
-    {
-       "matches": ["<all_urls>"],
-       "match_about_blank": true,
-       "all_frames": true,
-       "css": [
-         "/common/themes.css",
-         "/content/content.css"
-       ]
-    },
     {
       "run_at": "document_start",
       "matches": ["<all_urls>"],