[xss] Removed legacy/obsolete exceptions.

Author: hackademix

src/xss/Exceptions.js

@@ -23,13 +23,6 @@
 XSS.Exceptions = (() => {
 
   var Exceptions = {
-    get legacyExceptions() {
-      delete this.legacyExceptions;
-      this.legacyExceptions =
-        Legacy.getRxPref("filterXExceptions",
-          Legacy.RX.multi, "g", /^https?:[a-z:/@.?-]*$/i);
-      return this.legacyExceptions;
-    },
 
     async getWhitelist() {
       return (await Storage.get("sync", "xssWhitelist")).xssWhitelist;
@@ -71,16 +64,6 @@ XSS.Exceptions = (() => {
         debug("Privileged origin", srcOrigin); // DEV_ONLY
       }
 
-      // destination or @source matching legacy regexp
-      if (this.legacyExceptions &&
-          (this.legacyExceptions.test(unescapedDest) &&
-          !this.isBadException(xssReq.destDomain) ||
-          this.legacyExceptions.test("@" + unescape(srcUrl))
-        )) {
-        logEx("Legacy exception", this.legacyExceptions);
-        return true;
-      }
-
       if (!srcOrigin && isGet) {
         if (/^https?:\/\/msdn\.microsoft\.com\/query\/[^<]+$/.test(unescapedDest)) {
           return true; // MSDN from Microsoft VS
@@ -93,20 +76,15 @@ XSS.Exceptions = (() => {
           return true; // any about: URL except about:blank
 
         if (srcOrigin === "https://www.youtube.com" &&
-          /^https:\/\/(?:plus\.googleapis|apis\.google)\.com\/[\w/]+\/widget\/render\/comments\?/.test(destUrl) &&
-          Legacy.getPref("filterXExceptions.yt_comments")
-        ) {
+          /^https:\/\/(?:plus\.googleapis|apis\.google)\.com\/[\w/]+\/widget\/render\/comments\?/.test(destUrl)) {
           logEx("YouTube comments exception");
           return true;
         }
 
         if (isPost) {
 
-          if (srcOrigin === "https://sso.post.ch" && destOrigin === "https://app.swisspost.ch") {
-            return true;
-          }
-
-          if (srcOrigin === "https://twitter.com" && /^https:\/\/.*\.twitter\.com$/.test(destOrigin)) {
+          if (/^https:\/\/(?:twitter|x).com$/.test(srcOrigin) &&
+              /^https:\/\/.*\.(?:twitter|x)\.com$/.test(destOrigin)) {
             return true;
           }
 
@@ -119,88 +97,34 @@ XSS.Exceptions = (() => {
 
           if (/^https?:\/\/csr\.ebay\.(?:\w{2,3}|co\.uk)\/cse\/start\.jsf$/.test(srcUrl) &&
             /^https?:\/\/msa-lfn\.ebay\.(?:\w{2,3}|co\.uk)\/ws\/eBayISAPI\.dll\?[^<'"%]*$/.test(unescapedDest) &&
-            destObj.protocol === srcObj.protocol &&
-            Legacy.getPref("filterXException.ebay")) {
+            destObj.protocol === srcObj.protocol) {
             logEx("Ebay exception");
             return true;
           }
 
-          if (/^https:\/\/(?:cap\.securecode\.com|www\.securesuite\.net|(?:.*?\.)?firstdata\.(?:l[tv]|com))$/.test(srcUrl) &&
-            Legacy.getPref("filterXException.visa")) {
+          if (/^https:\/\/(?:cap\.securecode\.com|www\.securesuite\.net|(?:.*?\.)?firstdata\.com)$/.test(srcUrl)) {
             logEx("Verified by Visa exception");
             return true;
           }
 
-          if (/\.verizon\.com$/.test(srcOrigin) &&
-            /^https:\/\/signin\.verizon\.com\/sso\/authsso\/forumLogin\.jsp$/.test(destUrl) &&
-            Legacy.getPref("filterXExceptions.verizon")) {
-            logEx("Verizon login exception");
-            return true;
-          }
-
           if (/^https?:\/\/mail\.lycos\.com\/lycos\/mail\/MailCompose\.lycos$/.test(srcUrl) &&
-            /\.lycosmail\.lycos\.com$/.test(destOrigin) &&
-            Legacy.getPref("filterXExceptions.lycosmail")) {
+            /\.lycosmail\.lycos\.com$/.test(destOrigin)) {
             logEx("Lycos Mail exception");
             return true;
           }
 
-          if (/\.livejournal\.com$/.test(srcOrigin) &&
-            /^https?:\/\/www\.livejournal\.com\/talkpost_do\.bml$/.test(destUrl) &&
-            Legacy.getPref("filterXExceptions.livejournal")) {
+          if (/^https:.*\.livejournal\.com$/.test(srcOrigin) &&
+            /^https:\/\/www\.livejournal\.com\/talkpost_do\.bml$/.test(destUrl)) {
             logEx("Livejournal comments exception");
             return true;
           }
 
-          if (srcOrigin == "https://ssl.rapidshare.com" &&
-            xssReq.srcDomain == "rapidshare.com") {
-            logEx("Rapidshare upload exception");
-            return true;
-          }
-
-          if (srcOrigin == "http://wm.letitbit.net" &&
-            /^http:\/\/http\.letitbit\.net:81\/cgi-bin\/multi\/upload\.cgi\?/.test(destUrl) &&
-            Legacy.getPref("filterXExceptions.letitibit")
-          ) {
-            logEx("letitbit.net upload exception");
-            return true;
-          }
-
-          if (/\.deviantart\.com$/.test(srcOrigin) &&
-            /^http:\/\/my\.deviantart\.com\/journal\/update\b/.test(destUrl) &&
-            Legacy.getPref("filterXExceptions.deviantart")
-          ) {
-            logEx("deviantart.com journal post exception");
-            return true;
-          }
-
-          if (srcOrigin == "https://www.mymedicare.gov" &&
-            destOrigin == "https://myporal.medicare.gov" &&
-            Legacy.getPref("filterXExceptions.medicare")
-          ) {
-            logEx("mymedicare.gov exception");
-            return true;
-          }
-
-          if (/^https?:\/\/(?:draft|www)\.blogger\.com\/template-editor\.g\?/.test(srcUrl) &&
-            /^https?:\/\/[\w\-]+\.blogspot\.com\/b\/preview\?/.test(destUrl) &&
-            Legacy.getPref("filterXExceptions.blogspot")
+          if (/^https:\/\/(?:draft|www)\.blogger\.com\/template-editor\.g\?/.test(srcUrl) &&
+            /^https:\/\/[\w\-]+\.blogspot\.com\/b\/preview\?/.test(destUrl)
           ) {
             logEx("blogspot.com template preview exception");
             return true;
           }
-
-          if (/^https?:\/\/www\.readability\.com\/articles\/queue$/.test(destUrl) &&
-            Legacy.getPref("filterXExceptions.readability")) {
-            logEx("Readability exception");
-            return true;
-          }
-
-          if (/^https?:\/\/pdf\.printfriendly\.com\/pdfs\/make$/.test(destUrl) &&
-            Legacy.getPref("filterXExceptions.printfriendly")) {
-            logEx("Printfriendly exception");
-            return true;
-          }
         }
       }
     },
@@ -235,11 +159,10 @@ XSS.Exceptions = (() => {
           /^https:\/\/[^\/]+\.googleusercontent\.com\/gadgets\/ifr\?/.test(destUrl) // Google gadgets
         )) {
         skipRx = /#[^#]+$/; // remove receiver's hash
-      } else if (/^https?:\/\/apps\.facebook\.com\//.test(srcUrl) && Legacy.getPref("filterXExceptions.fbconnect")) {
+      } else if (/^https?:\/\/apps\.facebook\.com\//.test(srcUrl)) {
         skipRx = /&invite_url=javascript[^&]+/; // Zynga stuff
       } else if (/^https?:\/\/l\.yimg\.com\/j\/static\/frame\?e=/.test(destUrl) &&
-        /\.yahoo\.com$/.test(srcOrigin) &&
-        Legacy.getPref("filterXExceptions.yahoo")) {
+        /\.yahoo\.com$/.test(srcOrigin)) {
         skipParams = ['e'];
       } else if (/^https?:\/\/wpcomwidgets\.com\/\?/.test(destUrl)) {
         skipParams = ["_data"];