chore(goto): better autoconsent setup (#712)

* chore(goto): better autoconsent setup

* fix(goto): catch eval errors in autoconsent handler

`page.evaluate(message.code)` can throw (runtime errors, navigation
during evaluation, invalid code) but had no try/catch, so sendMessage
was never called and autoconsent never received the evalResp — stalling
the consent-detection flow.  Fall back to `result: false` on failure,
matching the defensive `.catch(() => {})` pattern already used by
sendMessage.

Made-with: Cursor

* fix(goto): restrict autoconsent eval to main frame via nonce

page.exposeFunction propagates bindings to every frame, including
cross-origin iframes.  A malicious iframe could call
autoconsentSendMessage({type:'eval', code:'…'}) and page.evaluate
would execute that code in the main frame's context, bypassing the
Same-Origin Policy (same pattern as the DuckDuckGo Android UXSS,
CVSS 8.6).

Generate a per-page random nonce and wrap the binding in the top frame
only (window.self === window.top) so every legitimate message carries
it.  Child frames keep the raw CDP binding which lacks the nonce, so
their messages are silently rejected by the handler.

Made-with: Cursor

* fix: timeout setup

Author: Kikobeats

packages/goto/src/adblock.js

@@ -1,6 +1,8 @@
 'use strict'
 
 const { PuppeteerBlocker } = require('@ghostery/adblocker-puppeteer')
+const { randomUUID } = require('crypto')
+const pTimeout = require('p-timeout')
 const fs = require('fs/promises')
 const path = require('path')
 
@@ -53,6 +55,10 @@ const autoconsentConfig = Object.freeze({
   enablePrehide: true,
   /* apply CSS-only rules that hide popups lacking a reject button */
   enableCosmeticRules: true,
+  /* enable rules auto-generated from common CMP patterns */
+  enableGeneratedRules: true,
+  /* fall back to heuristic click when no specific rule matches */
+  enableHeuristicAction: true,
   /* skip bundled ABP/uBO cosmetic filter list (saves bundle size) */
   enableFilterList: false,
   /* how many times to retry CMP detection (~50 ms apart) */
@@ -80,29 +86,44 @@ const sendMessage = (page, message) =>
     }, message)
     .catch(() => {})
 
-const setupAutoConsent = async page => {
+const setupAutoConsent = async (page, timeout) => {
   if (page._autoconsentSetup) return
   const autoconsentPlaywrightScript = await getAutoconsentPlaywrightScript()
+  const nonce = randomUUID()
 
   await page.exposeFunction('autoconsentSendMessage', async message => {
     if (!message || typeof message !== 'object') return
+    if (message.__nonce !== nonce) return
 
     if (message.type === 'init') {
       return sendMessage(page, { type: 'initResp', config: autoconsentConfig })
     }
 
     if (message.type === 'eval') {
-      return sendMessage(page, { type: 'evalResp', id: message.id, result: false })
+      let result = false
+      try {
+        result = await pTimeout(page.evaluate(message.code), timeout)
+      } catch {}
+      return sendMessage(page, { type: 'evalResp', id: message.id, result })
     }
   })
 
+  /* Wrap the binding in the top frame so every outgoing message carries the
+     nonce.  Child frames (including cross-origin iframes) keep the raw CDP
+     binding which lacks the nonce, so their messages are silently rejected. */
+  await page.evaluateOnNewDocument(n => {
+    if (window.self !== window.top) return
+    const raw = window.autoconsentSendMessage
+    if (raw) window.autoconsentSendMessage = msg => raw({ ...msg, __nonce: n })
+  }, nonce)
+
   await page.evaluateOnNewDocument(autoconsentPlaywrightScript)
   page._autoconsentSetup = true
 }
 
 const runAutoConsent = async page => page.evaluate(await getAutoconsentPlaywrightScript())
 
-const enableBlockingInPage = (page, run, actionTimeout) => {
+const enableBlockingInPage = (page, run, timeout) => {
   page.disableAdblock = () =>
     getEngine()
       .then(engine => engine.disableBlockingInPage(page, { keepRequestInterception: true }))
@@ -111,13 +132,13 @@ const enableBlockingInPage = (page, run, actionTimeout) => {
 
   return [
     run({
-      fn: setupAutoConsent(page),
-      timeout: actionTimeout,
+      fn: setupAutoConsent(page, timeout),
+      timeout,
       debug: 'autoconsent:setup'
     }),
     run({
       fn: getEngine().then(engine => engine.enableBlockingInPage(page)),
-      timeout: actionTimeout,
+      timeout,
       debug: 'adblock'
     })
   ]

packages/goto/test/unit/adblock/index.js

@@ -81,6 +81,119 @@ test('skip autoconsent setup when `adblock` is false', async t => {
   t.false(calls.includes('autoconsentSendMessage'))
 })
 
+test('autoconsent eval that throws still sends evalResp with result false', async t => {
+  const browserless = await getBrowserContext(t)
+  const url = await getUrl(t)
+
+  const run = browserless.withPage((page, goto) => async () => {
+    await goto(page, { url })
+
+    return page.evaluate(() => {
+      return new Promise(resolve => {
+        const timeout = setTimeout(() => resolve(null), 3000)
+        window.autoconsentReceiveMessage = msg => {
+          if (msg.type === 'evalResp' && msg.id === 'test-throw') {
+            clearTimeout(timeout)
+            resolve(msg)
+          }
+        }
+        window
+          .autoconsentSendMessage({
+            type: 'eval',
+            id: 'test-throw',
+            code: '(() => { throw new Error("boom") })()'
+          })
+          .catch(() => {})
+      })
+    })
+  })
+
+  const received = await run()
+  t.truthy(received, 'evalResp should be received even when eval code throws')
+  t.is(received.type, 'evalResp')
+  t.is(received.id, 'test-throw')
+  t.is(received.result, false)
+})
+
+test('autoconsent eval that hangs is timed out', async t => {
+  const browserless = await getBrowserContext(t)
+  const url = await getUrl(t)
+
+  const run = browserless.withPage((page, goto) => async () => {
+    await goto(page, { url })
+
+    return page.evaluate(() => {
+      return new Promise(resolve => {
+        const timeout = setTimeout(() => resolve(null), 10000)
+        window.autoconsentReceiveMessage = msg => {
+          if (msg.type === 'evalResp' && msg.id === 'test-hang') {
+            clearTimeout(timeout)
+            resolve(msg)
+          }
+        }
+        window
+          .autoconsentSendMessage({
+            type: 'eval',
+            id: 'test-hang',
+            code: 'new Promise(() => {})'
+          })
+          .catch(() => {})
+      })
+    })
+  })
+
+  const received = await run()
+  t.truthy(received, 'evalResp should be received even when eval code hangs')
+  t.is(received.type, 'evalResp')
+  t.is(received.id, 'test-hang')
+  t.is(received.result, false)
+})
+
+test('eval triggered from child frame is rejected', async t => {
+  const browserless = await getBrowserContext(t)
+
+  const url = await runServer(t, ({ req, res }) => {
+    res.setHeader('content-type', 'text/html')
+    if (req.url === '/frame') {
+      return res.end('<html><body></body></html>')
+    }
+    res.end('<html><body><iframe src="/frame"></iframe></body></html>')
+  })
+
+  const run = browserless.withPage((page, goto) => async () => {
+    await goto(page, { url, waitUntil: 'load' })
+
+    const iframeEl = await page.waitForSelector('iframe')
+    const iframe = await iframeEl.contentFrame()
+
+    await page.evaluate(() => {
+      window.__iframeEval = false
+    })
+
+    const hasBinding = await iframe
+      .evaluate(() => typeof window.autoconsentSendMessage === 'function')
+      .catch(() => false)
+
+    if (!hasBinding) return false
+
+    await iframe.evaluate(() => {
+      window
+        .autoconsentSendMessage({
+          type: 'eval',
+          id: 'frame-eval',
+          code: 'window.__iframeEval = true'
+        })
+        .catch(() => {})
+    })
+
+    await new Promise(resolve => setTimeout(resolve, 1000))
+    return page.evaluate(() => window.__iframeEval)
+  })
+
+  const result = await run()
+  t.is(result, false, 'eval from child frame must not execute in main frame')
+})
+
 test('`disableAdblock` removes blocker listeners and keeps request interception enabled', async t => {
   const browserless = await getBrowserContext(t)
   const url = await getUrl(t)