this fixes gorhill#35

Author: gorhill

background.html

@@ -22,7 +22,7 @@
 <script src="js/storage.js"></script>
 <script src="js/tab.js"></script>
 <script src="js/traffic.js"></script>
-<script src="js/utils.js"></script>
+<script src="js/contextmenu.js"></script>
 <script src="js/start.js"></script>
 </body>
 </html>

js/contextmenu.js

@@ -0,0 +1,96 @@
+/*******************************************************************************
+
+    httpswitchboard - a Chromium browser extension to black/white list requests.
+    Copyright (C) 2013  Raymond Hill
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see {http://www.gnu.org/licenses/}.
+
+    Home: https://github.com/gorhill/httpswitchboard
+*/
+
+/******************************************************************************/
+
+chrome.contextMenus.create({
+    type: 'normal',
+    id: 'gdt-group0',
+    title: 'Temporarily whitelist ...',
+    documentUrlPatterns: ['http://*/*', 'https://*/*']
+    },
+    function(){}
+);
+
+chrome.contextMenus.create({
+    type: 'normal',
+    id: 'revertPermissions',
+    title: 'Remove all temporary permissions',
+    documentUrlPatterns: ['http://*/*', 'https://*/*']
+    },
+    function(){}
+);
+
+function contextMenuClickHandler(info, tab) {
+    // "If the click did not take place in a tab,
+    // "this parameter will be missing"
+    if ( !tab ) {
+        return;
+    }
+
+    var pageURL = uriTools.normalizeURI(tab.url);
+    var pageDomain = uriTools.domainFromURI(pageURL);
+
+    if ( !pageDomain ) {
+        return;
+    }
+
+    switch ( info.menuItemId ) {
+        case 'gdt-group0':
+            HTTPSB.whitelistTemporarily(pageURL, '*', pageDomain);
+            smartReloadTab(tab.id);
+            break;
+
+        case 'revertPermissions':
+            HTTPSB.revertPermissions();
+            smartReloadTabs();
+            break;
+    }
+}
+
+chrome.contextMenus.onClicked.addListener(contextMenuClickHandler);
+
+/******************************************************************************/
+
+function updateContextMenuHandler(tabs) {
+    if ( !tabs.length ) {
+        return;
+    }
+    var tab = tabs[0];
+    if ( !tab.url || !tab.url.length ) {
+        return;
+    }
+    var pageUrl = uriTools.normalizeURI(tab.url);
+    var pageDomain = uriTools.domainFromURI(pageUrl);
+    var color = HTTPSB.evaluate(pageUrl, '*', pageDomain);
+    chrome.contextMenus.update('gdt-group0', {
+        title: 'Temporarily whitelist *.' + pageDomain,
+        enabled: color.charAt(0) !== 'g' && !HTTPSB.off
+    });
+    chrome.contextMenus.update('revertPermissions', {
+        enabled: !HTTPSB.off
+    });
+}
+
+function updateContextMenu() {
+    chrome.tabs.query({ active: true }, updateContextMenuHandler);
+}
+

js/inject.js

@@ -29,8 +29,6 @@ if ( window.location.href.match(/^https?:\/\//) ) {
 // This must be last, so that result is returned to extension.
 // This is used so that inline script tags and preemptively blocked scripts
 // (which won't generate web requests) are logged in the stats.
-// TODO: Do same with <object>, <embed>, they are currently underreported
-// when preemptively blocked.
 (function() {
     var r = {
         pageUrl: window.location.href,

js/start.js

@@ -35,6 +35,16 @@ chrome.contentSettings.plugins.clear({});
 // For privacy reasons, ensure all exceptions are removed from settings.
 chrome.contentSettings.javascript.clear({});
 
+// rhill 2013-12-05: now we allow all by default, and insert a
+// `Content-Policy-Directive` header to disable inline javascript.
+// External javascript will still be blocked the old way, by preventing the
+// resource from being fetched.
+//   https://github.com/gorhill/httpswitchboard/issues/35
+chrome.contentSettings.javascript.set({
+    primaryPattern: '*://*/*',
+    setting: 'allow'
+});
+
 /******************************************************************************/
 
 function injectedCodeCallback(r) {
@@ -166,7 +176,10 @@ function onBeforeNavigateCallback(details) {
         return;
     }
     var hostname = uriTools.hostnameFromURI(details.url);
-    setJavascript(hostname, HTTPSB.whitelisted(details.url, 'script', hostname));
+
+    // No longer needed, but I will just comment out for now.
+    //   https://github.com/gorhill/httpswitchboard/issues/35
+    // setJavascript(hostname, HTTPSB.whitelisted(details.url, 'script', hostname));
 }
 
 chrome.webNavigation.onBeforeNavigate.addListener(onBeforeNavigateCallback);
@@ -227,78 +240,3 @@ function onDisconnectHandler() {
 
 chrome.extension.onConnect.addListener(onConnectHandler);
 
-/******************************************************************************/
-
-chrome.contextMenus.create({
-    type: 'normal',
-    id: 'gdt-group0',
-    title: 'Temporarily whitelist ...',
-    documentUrlPatterns: ['http://*/*', 'https://*/*']
-    },
-    function(){}
-);
-
-chrome.contextMenus.create({
-    type: 'normal',
-    id: 'revertPermissions',
-    title: 'Remove all temporary permissions',
-    documentUrlPatterns: ['http://*/*', 'https://*/*']
-    },
-    function(){}
-);
-
-function contextMenuClickHandler(info, tab) {
-    // "If the click did not take place in a tab,
-    // "this parameter will be missing"
-    if ( !tab ) {
-        return;
-    }
-
-    var pageURL = uriTools.normalizeURI(tab.url);
-    var pageDomain = uriTools.domainFromURI(pageURL);
-
-    if ( !pageDomain ) {
-        return;
-    }
-
-    switch ( info.menuItemId ) {
-        case 'gdt-group0':
-            HTTPSB.whitelistTemporarily(pageURL, '*', pageDomain);
-            smartReloadTab(tab.id);
-            break;
-
-        case 'revertPermissions':
-            HTTPSB.revertPermissions();
-            smartReloadTabs();
-            break;
-    }
-}
-
-chrome.contextMenus.onClicked.addListener(contextMenuClickHandler);
-
-/******************************************************************************/
-
-function updateContextMenuHandler(tabs) {
-    if ( !tabs.length ) {
-        return;
-    }
-    var tab = tabs[0];
-    if ( !tab.url || !tab.url.length ) {
-        return;
-    }
-    var pageUrl = uriTools.normalizeURI(tab.url);
-    var pageDomain = uriTools.domainFromURI(pageUrl);
-    var color = HTTPSB.evaluate(pageUrl, '*', pageDomain);
-    chrome.contextMenus.update('gdt-group0', {
-        title: 'Temporarily whitelist *.' + pageDomain,
-        enabled: color.charAt(0) !== 'g' && !HTTPSB.off
-    });
-    chrome.contextMenus.update('revertPermissions', {
-        enabled: !HTTPSB.off
-    });
-}
-
-function updateContextMenu() {
-    chrome.tabs.query({ active: true }, updateContextMenuHandler);
-}
-

js/tab.js

@@ -510,8 +510,8 @@ function createPageStats(pageUrl) {
 
 // Create an entry for the tab if it doesn't exist
 
-function bindTabToPageStats(tabId, pageUrl) {
-    var pageStats = createPageStats(pageUrl);
+function bindTabToPageStats(tabId, pageURL) {
+    var pageStats = createPageStats(pageURL);
     if ( !pageStats ) {
         return undefined;
     }
@@ -522,8 +522,8 @@ function bindTabToPageStats(tabId, pageUrl) {
     // https://github.com/gorhill/httpswitchboard/issues/67
     if ( tabId !== HTTPSB.behindTheSceneTabId ) {
         unbindTabFromPageStats(tabId);
-        HTTPSB.pageUrlToTabId[pageUrl] = tabId;
-        HTTPSB.tabIdToPageUrl[tabId] = pageUrl;
+        HTTPSB.pageUrlToTabId[pageURL] = tabId;
+        HTTPSB.tabIdToPageUrl[tabId] = pageURL;
     }
 
     return pageStats;
@@ -609,8 +609,10 @@ function smartReloadTab(tabId) {
     if ( getStateHash(newState) != getStateHash(pageStats.state) ) {
         // Appears to help.
         //   https://github.com/gorhill/httpswitchboard/issues/35
-        var hostname = uriTools.hostnameFromURI(pageUrl);
-        setJavascript(hostname, HTTPSB.whitelisted(pageUrl, 'script', hostname));
+        // No longer needed, but I will just comment out for now.
+        //   https://github.com/gorhill/httpswitchboard/issues/35
+        // var hostname = uriTools.hostnameFromURI(pageUrl);
+        // setJavascript(hostname, HTTPSB.whitelisted(pageUrl, 'script', hostname));
         // console.debug('reloaded content of tab id %d', tabId);
         // console.debug('old="%s"\nnew="%s"', getStateHash(pageStats.state), getStateHash(newState));
         pageStats.state = newState;

js/traffic.js

@@ -180,13 +180,14 @@ function beforeRequestHandler(details) {
         }
     }
 
-    // quickProfiler.stop('beforeRequestHandler | evaluate&record');
-
     // If it is a frame and scripts are blacklisted for the
     // hostname, disable scripts for this hostname, necessary since inline
     // script tags are not passed through web request handler.
     if ( isMainFrame ) {
-        setJavascript(hostname, httpsb.whitelisted(pageURL, 'script', hostname));
+        // No longer needed, but I will just comment out for now.
+        //   https://github.com/gorhill/httpswitchboard/issues/35
+        // setJavascript(hostname, httpsb.whitelisted(pageURL, 'script', hostname));
+
         // when the tab is updated, we will check if page has at least one
         // script tag, this takes care of inline scripting, which doesn't
         // generate 'script' type web requests.
@@ -195,6 +196,8 @@ function beforeRequestHandler(details) {
     // Collect global stats
     httpsb.requestStats.record(type, block);
 
+    // quickProfiler.stop('beforeRequestHandler | evaluate&record');
+
     // whitelisted?
     if ( !block ) {
         // console.debug('beforeRequestHandler > allowing %s from %s', type, hostname);
@@ -281,6 +284,50 @@ function beforeSendHeadersHandler(details) {
 
 /******************************************************************************/
 
+// To prevent inline javascript from being executed.
+
+// Prevent inline scripting using `Content-Security-Policy`:
+// https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
+
+// This fixes:
+// https://github.com/gorhill/httpswitchboard/issues/35
+
+function headersReceivedHandler(details) {
+
+    // Ignore anything which is not top frame
+    var type = details.type;
+    if ( type !== 'main_frame' && type !== 'sub_frame' ) {
+        return;
+    }
+
+    // Ignore traffic outside tabs
+    var tabId = details.tabId;
+    if ( tabId < 0 ) {
+        return;
+    }
+
+    var pageStats = pageStatsFromTabId(tabId);
+    // Can happen I suppose...
+    if ( !pageStats ) {
+        return;
+    }
+
+    // Evaluate according to scope
+    var pageURL = pageUrlFromPageStats(pageStats);
+    var hostname = uriTools.hostnameFromURI(details.url);
+    var noScript = HTTPSB.blacklisted(pageURL, 'script', hostname);
+    if ( !noScript ) {
+        return;
+    }
+
+    // If javascript not allowed, say so through a `Content-Security-Policy`
+    // directive.
+    details.responseHeaders.push({ 'name': 'Content-Security-Policy', 'value': "script-src 'none'" });
+    return { responseHeaders: details.responseHeaders };
+}
+
+/******************************************************************************/
+
 var webRequestHandlerRequirements = {
     'tabsBound': 0,
     'listsLoaded': 0
@@ -328,4 +375,15 @@ function startWebRequestHandler(from) {
         },
         ['blocking', 'requestHeaders']
     );
+
+    chrome.webRequest.onHeadersReceived.addListener(
+        headersReceivedHandler,
+        {
+            'urls': [
+                "http://*/*",
+                "https://*/*"
+            ]
+        },
+        ['blocking', 'responseHeaders']
+    );
 }

js/utils.js

@@ -23,6 +23,7 @@
 
 // Enable/disable javascript for a specific hostname.
 
+/*
 function setJavascriptCallback(windows, hostname, setting) {
     // Need to do this to avoid "You cannot set a preference with scope
     // 'incognito_session_only' when no incognito window is open."
@@ -54,4 +55,4 @@ function setJavascript(hostname, state) {
         setJavascriptCallback(windows, hostname, setting);
     });
 }
-
+*/

manifest.json

@@ -1,7 +1,7 @@
 {
     "manifest_version": 2,
     "name": "__MSG_extName__",
-    "version": "0.6.3",
+    "version": "0.6.4",
     "description": "__MSG_extShortDesc__",
     "icons": {
         "16": "icon_16.png",