Improved cross-browser and cross-manifest support.

Author: hackademix

build.sh

@@ -10,6 +10,19 @@ BUILD="$BASE/build"
 MANIFEST_IN="$SRC/manifest.json"
 MANIFEST_OUT="$BUILD/manifest.json"
 
+if [ "$1" == "watch" ]; then
+  while :; do
+    $0 -u debug
+    inotifywait -e 'create,modify,move,delete' -r "$SRC"
+  done
+fi
+
+UNPACKED=
+if [ "$1" == '-u' ]; then
+  UNPACKED=1
+  shift
+fi
+
 strip_rc_ver() {
   MANIFEST="$1"
   if [[ "$2" == "rel" ]]; then
@@ -67,7 +80,7 @@ if [[ "$1" == "bump" ]]; then
   echo "Bumping to $VER"
   git add "$MANIFEST_IN"
   git commit -m "Version bump: $VER."
-  if ! [[ $VER == *rc* ]]; then
+  if ! ([[ $VER == *rc* ]] || [[ $VER =~ \.9[0-9][09]$ ]]); then
     # it's a stable release: let's lock nscl and tag
     git submodule update
    "$0" tag
@@ -94,22 +107,15 @@ CHROMIUM_BUILD_CMD="$BUILD_CMD"
 CHROMIUM_BUILD_OPTS="$BUILD_OPTS"
 
 if [[ $VER == *rc* ]]; then
-  sed -re 's/^(\s+)"strict_min_version":.*$/\1"update_url": "https:\/\/secure.informaction.com\/update\/?v='$VER'",\n\0/' \
-    "$MANIFEST_IN" > "$MANIFEST_OUT"
   if [[ "$1" =~ ^sign(ed)?$ ]]; then
     BUILD_CMD="$BASE/../../we-sign"
     BUILD_OPTS=""
   fi
 else
-  grep -v '"update_url":' "$MANIFEST_IN" > "$MANIFEST_OUT"
   if [[ "$1" == "sign" ]]; then
     echo >&2 "WARNING: won't auto-sign a release version, please manually upload to AMO."
   fi
 fi
-if ! grep '"id":' "$MANIFEST_OUT" >/dev/null; then
-  echo >&2 "Cannot build manifest.json"
-  exit 1
-fi
 
 if [ "$1" != "debug" ]; then
   DBG=""
@@ -124,8 +130,10 @@ else
   DBG="-dbg"
 fi
 
-echo "Creating $XPI.xpi..."
-mkdir -p "$XPI_DIR"
+if ! [ "$UNPACKED" ]; then
+  echo "Creating $XPI.xpi..."
+  mkdir -p "$XPI_DIR"
+fi
 
 if which cygpath; then
   WEBEXT_IN="$(cygpath -w "$BUILD")"
@@ -137,55 +145,58 @@ fi
 
 COMMON_BUILD_OPTS="--ignore-files='test/**' 'embargoed/**' content/experiments.js"
 
+fix_manifest() {
+  node manifest.js "$1" "$MANIFEST_IN" "$MANIFEST_OUT"
+}
+
 build() {
-  "$BUILD_CMD" $BUILD_OPTS --source-dir="$WEBEXT_IN" --artifacts-dir="$WEBEXT_OUT" $COMMON_BUILD_OPTS
+  if [ "$1" ]; then
+    UNPACKED_DIR="$BASE/$1"
+    rm -rf "$UNPACKED_DIR"
+    cp -rp "$WEBEXT_IN" "$UNPACKED_DIR" && echo >&2 "Copied $WEBEXT_IN to $UNPACKED_DIR"
+  fi
+  [ "$UNPACKED" ] || \
+    ( "$BUILD_CMD" $BUILD_OPTS --source-dir="$WEBEXT_IN" \
+      --artifacts-dir="$WEBEXT_OUT" $COMMON_BUILD_OPTS  | \
+    grep 'ready: .*\.zip' | sed -re 's/.* ready: //' )
 }
 
-build
+fix_manifest mv2firefox
+build firefox
 
 SIGNED="$XPI_DIR/noscript_security_suite-$VER-an+fx.xpi"
 if [ -f "$SIGNED" ]; then
   mv "$SIGNED" "$XPI.xpi"
 elif [ -f "$XPI.zip" ]; then
-  SIGNED=""
   if unzip -l "$XPI.xpi" | grep "META-INF/mozilla.rsa" >/dev/null 2>&1; then
     echo "A signed $XPI.xpi already exists, not overwriting."
   else
     [[ "$VER" == *rc* ]] && xpicmd="mv" || xpicmd="cp"
     $xpicmd "$XPI.zip" "$XPI$DBG.xpi"
     echo "Created $XPI$DBG.xpi"
   fi
-elif ! [ -f "$XPI.xpi" ]; then
+fi
+if [ -f "$XPI.xpi" ]; then
+  ln -fs "$XPI.xpi" "$BASE/latest.xpi"
+elif ! [ "$UNPACKED" ]; then
   echo >&2 "ERROR: Could not create $XPI$DBG.xpi!"
   exit 3
 fi
-ln -fs "$XPI.xpi" "$BASE/latest.xpi"
 
 # create Chromium pre-release
 
 BUILD_CMD="$CHROMIUM_BUILD_CMD"
 BUILD_OPTS="$CHROMIUM_BUILD_OPTS"
-CHROMIUM_UNPACKED="$BASE/chromium"
-EDGE_UPDATE_URL="https://edge.microsoft.com/extensionwebstorebase/v1/crx"
-rm -rf "$CHROMIUM_UNPACKED"
-strip_rc_ver "$MANIFEST_OUT"
-
-# manifest.json patching for Chromium:
 
-GECKO_PERMS="dns|<all_urls>|webRequestBlocking"
-
-node manifest.js $MANIFEST_OUT
-
-CHROME_ZIP=$(build | grep 'ready: .*\.zip' | sed -re 's/.* ready: //')
-
-if [ -f "$CHROME_ZIP" ]; then
-  node manifest.js mv3 $MANIFEST_OUT && build
-  mv "$CHROME_ZIP" "$XPI$DBG-chrome.zip"
-fi
+fix_manifest mv3edge
+ZIP=$(build edge)
+[ -f "$ZIP" ] && mv "$ZIP" "$XPI$DBG-edge.zip"
 
-mv "$BUILD" "$CHROMIUM_UNPACKED"
+fix_manifest mv3chrome
+ZIP=$(build chromium)
+[ -f "$ZIP" ] &&  mv "$ZIP" "$XPI$DBG-chrome.zip"
 
-if [ "$SIGNED" ]; then
+if [ "$SIGNED" ] && ! [ "$UNPACKED" ]; then
   "$0" tag quiet
   nscl
   ../../we-publish "$XPI.xpi"

manifest.js

@@ -23,27 +23,37 @@
 const fs = require('fs');
 const path = require('path');
 const args = process.argv.slice(2);
-const MANIFEST_VER = /^m?v?[2-3]$/i.test(args[0]) ? args.shift() : "mv3edge";
+const MANIFEST_VER = /^m?v?[2-3]/i.test(args[0]) ? args.shift() : "mv3edge";
 const MANIFEST_SRC = args[0] || "src/manifest.json";
 const MANIFEST_DEST = args[1] || args[0] || "build/manifest.json";
 
-const EDGE_UPDATE_URL = "https://edge.microsoft.com/extensionwebstorebase/v1/crx";
 
 console.log(`${MANIFEST_SRC} --[${MANIFEST_VER}]--> ${MANIFEST_DEST}`);
 
 const srcContent = fs.readFileSync(MANIFEST_SRC, 'utf8');
 const json = JSON.parse(srcContent);
 const permissions = new Set(json.permissions);
 
-if (MANIFEST_VER.includes(3)) {
-  delete json.browser_specific_settings;
-  const {scripts} = json.background;
+const extVer = json.version;
+const FIREFOX_UPDATE_URL = "https://secure.informaction.com/update/?v=" + extVer;
+const EDGE_UPDATE_URL = "https://edge.microsoft.com/extensionwebstorebase/v1/crx";
+
+const isFirefox = MANIFEST_VER.includes("firefox");
+
+if (isFirefox && /rc|\.9\d{2}$/.test(extVer)) {
+  json.browser_specific_settings.update_url = FIREFOX_UPDATE_URL;
+}
 
-  if (scripts) {
+if (MANIFEST_VER.includes(3)) {
+  // MV3
+  json.manifest_version = 3;
+  if (!isFirefox) {
+    delete json.browser_specific_settings;
+    const {scripts} = json.background;
     delete json.background.scripts;
     delete json.background.persistent;
     const requiredPath = path.join(path.dirname(MANIFEST_DEST), "REQUIRED.js");
-    fs.writeFileSync(requiredPath,
+    scripts && fs.writeFileSync(requiredPath,
       `include.REQUIRED = ${JSON.stringify(scripts, null, 2)};`)
   }
 
@@ -53,17 +63,38 @@ if (MANIFEST_VER.includes(3)) {
     delete json.update_url;
   }
 
-  permissions.delete("<all_urls>");
-  permissions.delete("webRequestBlocking");
+  for (const p of [
+    "<all_urls>",
+    "webRequestBlocking",
+    "webRequestBlocking",
+    "webRequestFilterResponse",
+    "webRequestFilterResponse.serviceWorkerScript",
+  ]) {
+    permissions.delete (p);
+  }
 
   const excludedScriptsRx = /\bcontent\/(?:embeddingDocument|dirindex)\.js$/;
   for (const cs of json.content_scripts) {
     cs.js = cs.js.filter(src => !excludedScriptsRx.test(src));
   }
   delete json.browser_action;
   delete json.commands._execute_browser_action
+} else {
+  // MV2
+  json.manifest_version = 2;
+  delete json.background.service_worker;
+  delete json.web_accessible_resources;
+  delete json.host_permissions;
+  delete json.action;
+  for (const p of [
+    "debugger",
+  ]) {
+    permissions.delete(p);
+  }
 }
 
+
+
 // remove developer-only stuff
 permissions.delete("declarativeNetRequestFeedback");
 

src/bg/RequestGuard.js

@@ -18,8 +18,8 @@
  * this program. If not, see <https://www.gnu.org/licenses/>.
  */
 
+"use strict";
 {
-  'use strict';
   const VERSION_LABEL =  `NoScript ${browser.runtime.getManifest().version}`;
   browser.action.setTitle({title: VERSION_LABEL});
   const CSP_MARKER = "report-to noscript-reports";
@@ -648,8 +648,9 @@
   const listeners = {
     onBeforeRequest(request) {
       try {
-        if (browser.runtime?.onSyncMessage.isMessageRequest(request)) return ALLOW;
-
+        if (browser.runtime.onSyncMessage?.isMessageRequest(request)) {
+          return ALLOW;
+        }
         initPendingRequest(request);
 
         let result = checkRequest(request);
@@ -819,6 +820,7 @@
 
   async function injectPolicyScript(details) {
     await ns.initializing;
+    if (ns.local.debug?.disablePolicyInjection) return '';  // DEV_ONLY
     const {url, tabId, frameId} = details;
     const domPolicy = await ns.computeChildPolicy({url}, {tab: {id: tabId}, frameId});
     domPolicy.navigationURL = url;

src/bg/main.js

@@ -20,8 +20,8 @@
 
 // depends on /nscl/service/Scripting.js
 
+"use strict";
 {
-  'use strict';
   {
     for (let event of ["onInstalled", "onUpdateAvailable"]) {
       browser.runtime[event].addListener(async details => {
@@ -442,10 +442,15 @@
         debug("Collected seen", seen); // DEV_ONLY
         return seen;
       } catch (e) {
-        await include("/nscl/common/restricted.js");
-        if (!isRestrictedURL((await browser.tabs.get(tabId)).url)) {
-          // probably a page where content scripts cannot run, let's open the options instead
-          error(e, "Cannot collect noscript activity data");
+        try {
+          const {url} = (await browser.tabs.get(tabId)).url;
+          await include("/nscl/common/restricted.js");
+          if (!isRestrictedURL(url)) {
+            // probably a page where content scripts cannot run, let's open the options instead
+            error(e, `Cannot collect noscript activity data from ${url} (tab ${tabId}!)`); // DEV_ONLY
+          }
+        } catch (e2) {
+          error(e2, `Cannot collect seen / access url on tab ${tabId}!`) // DEV_ONLY
         }
       }
       return null;

src/manifest.json

@@ -5,12 +5,12 @@
   "browser_specific_settings": {
     "gecko": {
       "id":  "{73a6fe31-595d-460b-a920-fcc0f8843232}",
-      "strict_min_version": "666.0",
+      "strict_min_version": "66.0",
       "strict_max_version": "665.0"
     },
     "gecko_android": {}
   },
-  "version": "12.0.8",
+  "version": "12.0.8.901",
   "description": "__MSG_Description__",
   "incognito": "spanning",
 
@@ -32,6 +32,8 @@
       "webNavigation",
       "webRequest",
       "webRequestBlocking",
+      "webRequestFilterResponse",
+      "webRequestFilterResponse.serviceWorkerScript",
       "dns",
       "<all_urls>"
   ],
@@ -141,6 +143,14 @@
     }
   ],
 
+  "web_accessible_resources": [
+    {
+      "resources": [ "/nscl/common/SyncMessage/*" ],
+      "matches": [ "<all_urls>" ]
+    }
+  ],
+
+
   "options_ui": {
     "page": "ui/options.html",
     "open_in_tab": true