block all access to iframe (and frame) contentWindow and contentDocument properties, fixes #20
This commit is contained in:
parent
bf76aa542a
commit
f27ef5d4f9
1 changed files with 22 additions and 2 deletions
|
@ -22,6 +22,10 @@
|
||||||
const standardDefinitions = settings.standards;
|
const standardDefinitions = settings.standards;
|
||||||
const hostName = window.location.hostname;
|
const hostName = window.location.hostname;
|
||||||
|
|
||||||
|
if (standardsToBlock.length === 0) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// Its possible that the Web API removal code will block direct references
|
// Its possible that the Web API removal code will block direct references
|
||||||
// to the following methods, so grab references to them before the
|
// to the following methods, so grab references to them before the
|
||||||
// DOM is instrumented (and their references are possibly blocked).
|
// DOM is instrumented (and their references are possibly blocked).
|
||||||
|
@ -190,11 +194,27 @@
|
||||||
// it when we're done, and before the page scripts can start running.
|
// it when we're done, and before the page scripts can start running.
|
||||||
delete window.WEB_API_MANAGER_PAGE;
|
delete window.WEB_API_MANAGER_PAGE;
|
||||||
|
|
||||||
// Last, remove the script tag containing this code from the document,
|
// Next, remove the script tag containing this code from the document,
|
||||||
// so that the structure of the page looks like what the page author
|
// so that the structure of the page looks like what the page author
|
||||||
// expects / intended.
|
// expects / intended.
|
||||||
const scriptTags = getElementsByTagName.call(window.document, "script");
|
const scriptTags = getElementsByTagName.call(window.document, "script");
|
||||||
removeChild.call(scriptTags[0].parentNode, scriptTags[0]);
|
const thisScript = scriptTags[0];
|
||||||
|
removeChild.call(thisScript.parentNode, thisScript);
|
||||||
|
|
||||||
|
// Next, prevent access to frame's contentDocument / contentWindow
|
||||||
|
// properties, to prevent the parent frame from pulling unblocked
|
||||||
|
// references to blocked standards from injected frames.
|
||||||
|
// This will break some sites, but, fingers crossed, its not too much.
|
||||||
|
const frameTypesToModify = [HTMLIFrameElement, HTMLFrameElement];
|
||||||
|
const propertiesToBlock = ["contentDocument", "contentWindow"];
|
||||||
|
|
||||||
|
frameTypesToModify.forEach(function (frameType) {
|
||||||
|
propertiesToBlock.forEach(function (propertyName) {
|
||||||
|
Object.defineProperty(frameType.prototype, propertyName, {
|
||||||
|
get: () => defaultBlockingProxy
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
Loading…
Add table
Reference in a new issue