Refactor top-level auto-trust and make it contextual (issue #417).

hackademix · hackademix · commit 8bf63c3e0cdd · 2025-04-21T15:41:27.000+02:00
diff --git a/src/bg/DNRPolicy.js b/src/bg/DNRPolicy.js
@@ -311,8 +311,7 @@
         if (!url || Sites.isInternal(url)) continue;
         const perms = policy.get(url).perms;
         console.debug("DNRPolicy autoAllow check", tab, perms, perms === policy.DEFAULT);
-        if (perms === policy.DEFAULT || (isStartup && perms.temp)) {
-          policy.set(Sites.optimalKey(url), policy.TRUSTED.tempTwin);
+        if (policy.autoAllow(url, perms, (isStartup && perms.temp))) {
           updated.push(tab);
         }
       }
diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js
@@ -352,7 +352,7 @@
       let {capabilities} = perms;
       if (!capabilities.has(policyType)) {
         let temp = sender.tab.incognito; // we don't want to store in PBM
-        perms = new Permissions(new Set(capabilities), temp);
+        perms = new Permissions(capabilities, temp);
         perms.capabilities.add(policyType);
         /* TODO: handle contextual permissions
         if (contextUrl) {
@@ -736,8 +736,9 @@
           let policy = ns.policy;
           let {perms} = policy.get(url, ns.policyContext(request));
           if (isMainFrame) {
-            if (policy.autoAllowTop && perms === policy.DEFAULT) {
-              policy.set(Sites.optimalKey(url), perms = policy.TRUSTED.tempTwin);
+            const autoPerms = policy.autoAllow(url, perms);
+            if (autoPerms) {
+              perms = autoPerms;
             }
             capabilities = perms.capabilities;
           } else {
diff --git a/src/bg/main.js b/src/bg/main.js
@@ -342,13 +342,14 @@
       if (policy) {
         let perms = policy.get(url, contextUrl).perms;
         if (isTop) {
-          if (policy.autoAllowTop && perms === policy.DEFAULT) {
-            policy.set(Sites.optimalKey(url), perms = policy.TRUSTED.tempTwin);
+          const autoPerms = policy.autoAllow(url, perms);
+          if (autoPerms) {
+            perms = autoPerms;
             await Promise.allSettled([
               RequestGuard.DNRPolicy?.update(),
               session.save(),
             ]);
-            const dnrRules = (await browser.declarativeNetRequest.getSessionRules()).filter(r => r?.action?.type == "allow"); // DEV_ONLY
+            const dnrRules = (await browser.declarativeNetRequest?.getSessionRules())?.filter(r => r?.action?.type == "allow"); // DEV_ONLY
             debug(`Auto-trusted ${Sites.optimalKey(url)}`,  dnrRules); // DEV_ONLY
           }
         } else {
diff --git a/src/nscl b/src/nscl
@@ -1 +1 @@
-Subproject commit f0d56909b9bb7346fee47a4f67395118d9318e91
+Subproject commit 9ea6a80241bc33002ce872e74f577716235833b4

Original file line number	Diff line number	Diff line change
`@@ -311,8 +311,7 @@`
`311`	`311`	`if (!url \|\| Sites.isInternal(url)) continue;`
`312`	`312`	`const perms = policy.get(url).perms;`
`313`	`313`	`console.debug("DNRPolicy autoAllow check", tab, perms, perms === policy.DEFAULT);`
`314`		`- if (perms === policy.DEFAULT \|\| (isStartup && perms.temp)) {`
`315`		`- policy.set(Sites.optimalKey(url), policy.TRUSTED.tempTwin);`
	`314`	`+ if (policy.autoAllow(url, perms, (isStartup && perms.temp))) {`
`316`	`315`	`updated.push(tab);`
`317`	`316`	`}`
`318`	`317`	`}`