Make contextual policies override restriction cascading (tor-browser#43397).

Author: hackademix

src/bg/DNRPolicy.js

@@ -22,8 +22,8 @@
 {
   const DEFAULT_PRIORITY = 1;
   const SITE_PRIORITY = 10;
-  const CTX_PRIORITY = 20;
-  const CASCADE_PRIORITY = 30;
+  const CASCADE_PRIORITY = 20;
+  const CTX_PRIORITY = 30;
   const TAB_PRIORITY = 40;
   const REPORT_PRIORITY = 50;
   const MAX_PRIORITY = 100;
@@ -255,7 +255,7 @@
       return rules;
     }
     const tabPresets = new Map();
-    for({url, id} of tabs) {
+    for(const {url, id} of tabs) {
       const resourceTypes = ResourceTypeFor.block(policy.get(url).perms.capabilities);
       if (!resourceTypes.length) continue;
       const key = JSON.stringify(resourceTypes);

src/bg/RequestGuard.js

@@ -378,13 +378,16 @@
 
       const checked = ret.checks.map((i) => checks[i]._val);
 
+      const wantsContext = checked.includes("ctx")
+
       let { siteMatch, contextMatch, perms } = ns.policy.get(key, contextUrl);
 
-      if (!perms.capabilities.has(policyType)) {
+      if (!perms.capabilities.has(policyType) ||
+          !contextMatch && wantsContext && ctxKey) {
         if (!contextMatch) {
           perms = perms.clone();
           ns.policy.set(key, perms);
-          if (ctxKey && checked.includes("ctx")) {
+          if (ctxKey && wantsContext) {
             perms.contextual.set(ctxKey, perms = perms.clone(/* noContext = */ true));
           }
         }
@@ -494,17 +497,17 @@
     }
   };
 
-  function intersectCapabilities(perms, request) {
+  function intersectCapabilities(policyMatch, request) {
     if (request.frameId !== 0 && ns.sync.cascadeRestrictions) {
       const {tabUrl, frameAncestors} = request;
       const topUrl = tabUrl ||
         frameAncestors && frameAncestors[frameAncestors?.length - 1]?.url ||
         TabCache.get(request.tabId)?.url;
       if (topUrl) {
-        return ns.policy.cascadeRestrictions(perms, topUrl).capabilities;
+        return ns.policy.cascadeRestrictions(policyMatch, topUrl).capabilities;
       }
     }
-    return perms.capabilities;
+    return policyMatch.perms.capabilities;
   }
 
   const ABORT = {cancel: true},
@@ -652,8 +655,8 @@
           .some(tabId => TabStatus.hasOrigin(tabId, documentUrl));
       }
       if (!allowed) {
-        let capabilities = intersectCapabilities(
-          policy.get(url, ns.policyContext(request)).perms,
+        const capabilities = intersectCapabilities(
+          policy.get(url, ns.policyContext(request)),
           request);
         allowed = !policyType || capabilities.has(policyType);
         if (allowed && request._dataUrl && type.endsWith("frame")) {
@@ -762,16 +765,17 @@
       try {
         let capabilities;
         if (ns.isEnforced(tabId)) {
-          let policy = ns.policy;
-          let {perms} = policy.get(url, ns.policyContext(request));
+          const { policy } = ns;
+          const policyMatch = policy.get(url, ns.policyContext(request));
+          let perms = { match: policyMatch };
           if (isMainFrame) {
             const autoPerms = policy.autoAllow(url, perms);
             if (autoPerms) {
               perms = autoPerms;
             }
             capabilities = perms.capabilities;
           } else {
-            capabilities = intersectCapabilities(perms, request);
+            capabilities = intersectCapabilities(policyMatch, request);
           }
         } // else unrestricted, either globally or per-tab
         if (isMainFrame && !TabStatus.map.has(tabId)) {

src/bg/main.js

@@ -340,7 +340,8 @@
 
       let permissions, unrestricted, cascaded;
       if (policy) {
-        let perms = policy.get(url, contextUrl).perms;
+        const policyMatch = policy.get(url, contextUrl);
+        let { perms } = policyMatch;
         if (isTop) {
           const autoPerms = policy.autoAllow(url, perms);
           if (autoPerms) {
@@ -355,7 +356,7 @@
         } else {
           cascaded = topUrl && ns.sync.cascadeRestrictions;
           if (cascaded) {
-            perms = policy.cascadeRestrictions(perms, topUrl);
+            perms = policy.cascadeRestrictions(policyMatch, topUrl);
           }
         }
         permissions = perms.dry();