Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement per-origin noscript #97

Merged
merged 3 commits into from May 23, 2018
Merged

Implement per-origin noscript #97

merged 3 commits into from May 23, 2018

Conversation

@yrliou
Copy link
Member

yrliou commented May 2, 2018

Fix brave/brave-browser#6
Support per-tab per-origin noScript settings which will be cleared when navigating away.
See also: brave/brave-extension/pull/21

Submitter Checklist:

  • Submitted a ticket for my issue if one did not already exist.
  • Used Github auto-closing keywords in the commit message.
  • Added/updated tests for this change (for new code or code which already has tests).
  • Ran git rebase -i to squash commits (if needed).
  • Tagged reviewers and labelled the pull request as needed.
  • Request a security/privacy review as needed.

Test Plan:

An automated browser test is added for this feature.

Reviewer Checklist:

  • New files have MPL-2.0 license header.
  • Request a security/privacy review as needed.
  • Adequate test coverage exists to prevent regressions
@yrliou yrliou self-assigned this May 3, 2018
@yrliou yrliou force-pushed the noscript branch 2 times, most recently from eee42b2 to 300dda7 May 4, 2018
@yrliou yrliou changed the title [WIP] Implement per-origin noscript Implement per-origin noscript May 8, 2018
@yrliou yrliou mentioned this pull request May 8, 2018
@yrliou
Copy link
Member Author

yrliou commented May 8, 2018

Built on Mac, will make sure other platforms built before merging.

@yrliou yrliou requested a review from bbondy May 8, 2018
@yrliou
Copy link
Member Author

yrliou commented May 8, 2018

Please leave this PR for me to merge since I would like to include extension DEPS update commit in this PR when everything is reviewed and ready to merged.

Copy link
Member

bbondy left a comment

I think we can ship initially with the UI as is but ideally we'll one day modify this:
screen shot 2018-05-11 at 10 30 32 am

Please try to customize the "JavaScript was blocked on this page" message. To indicate they should check the Brave shields panel. But since this string is in chrome/app/generated_resources.grd and we don't override it yet, we should override that as a separate PR and do that at that point. Posting a task for this would be fine for now.


While testing I somehow had an extension show up, which makes me think we blocked some extension we shouldn't have. I don't have any extra extensions installed, but it looks like it's from chrome/browser/resources/media_router.

screen shot 2018-05-11 at 10 22 10 am

@@ -25,14 +26,55 @@ BraveContentSettingsObserver::BraveContentSettingsObserver(
BraveContentSettingsObserver::~BraveContentSettingsObserver() {
}

void BraveContentSettingsObserver::DidFinishLoad() {
temporarily_allowed_scripts_.clear();

This comment has been minimized.

Copy link
@bbondy

bbondy May 11, 2018

Member

Doing this clear here will cause a bad experience for NoScript users because a lot of resource loads for an origin happen after the onload. On browser-laptop in frame.js we clear it when the component is unmounted (tab is closed) or when the user navigates to a different origin.
I think we could instead clear it when there's a different origin than was set in allow once in WillCommitProvisionalLoad or something like that.
You can try it out on my website to see how it doesn't really work well. It probably works for some test sites just fine though.
We don't have to be consistent completely with how browser-laptop works but just more usable.

temporarily_allowed_scripts_.clear();
}

bool BraveContentSettingsObserver::OnMessageReceived(const IPC::Message& message) {

This comment has been minimized.

Copy link
@bbondy

bbondy May 11, 2018

Member

Just noting an alternate way to do this might be to create temporary content settings that we later clear. But I'm ok with the current method you used.

This comment has been minimized.

Copy link
@bridiver

bridiver May 16, 2018

Collaborator

that actually doesn't work because it will affect other loads that might be happening in the background

This comment has been minimized.

Copy link
@bridiver

bridiver May 16, 2018

Collaborator

even this had to be tweaked slightly from the original to avoid any race conditoins

<html><head><title>load js from origins</title></head>
<body>
<script src="/cross-site/a.com/create_iframe.js"></script>
<script src="/cross-site/b.com/create_iframe.js"></script>

This comment has been minimized.

Copy link
@bbondy

bbondy May 11, 2018

Member

I think these paths are wrong which I think would make the tests fail.

This comment has been minimized.

Copy link
@yrliou

yrliou May 19, 2018

Author Member

Addressed, comments about how this works are added into html file.

@yrliou yrliou force-pushed the noscript branch from 300dda7 to ea677d7 May 15, 2018

// Send IPC msg to update the list in this tab's content settings observers
contents->SendToAllFrames(
new BraveFrameMsg_AllowScriptsOnce(MSG_ROUTING_NONE, params->origins));

This comment has been minimized.

Copy link
@yrliou

yrliou May 15, 2018

Author Member

Noted there is an issue here that frames which might be created after this will not get this list.
Probably could be solved by saving the list (which is specific to one webcontent) in the browser process (maybe in BraveWebContentsObserver or BraveTabSpecificContentSetting) and send the list in RenderFrameCreated to those subsequent frames that are created later.

This comment has been minimized.

Copy link
@yrliou

yrliou May 16, 2018

Author Member

addressed by 00cfdb3


void BraveContentSettingsObserver::OnAllowScriptsOnce(
const std::vector<std::string>& origins) {
temporarily_allowed_scripts_.clear();

This comment has been minimized.

Copy link
@bridiver

bridiver May 15, 2018

Collaborator

do we need an extra setting here or can we just set the existing cached_script_permissions_? cached_script_permissions_ gets cleared on navigation

@yrliou yrliou force-pushed the noscript branch 9 times, most recently from 6284061 to 9283244 May 15, 2018
@yrliou
Copy link
Member Author

yrliou commented May 19, 2018

@bbondy, @bridiver PR is updated, please take a look again when you're available, thanks!
Main change here is to maintain a set in BraveShieldsWebContentsObserver which will be propagated to render frames in ReadyToCommitNavigation, and the set would be cleared when navigating away.
In renderer side, origins passed from browser process will first be preloaded into preloaded_temporarily_allowed_scripts_.
Then it will be loaded into temporarily_allowed_scripts_ in DidCommitProvisionalLoad.
The reason of adding a preloaded var is to avoid wrongly apply the no-script setting which is meant for the navigation that's going to be committed to things in the current page load.

Copy link
Member

bbondy left a comment

lgtm

@yrliou yrliou force-pushed the noscript branch from 9283244 to 071a1ee May 23, 2018
@bbondy
bbondy approved these changes May 23, 2018
@yrliou yrliou merged commit c91d571 into master May 23, 2018
@yrliou yrliou deleted the noscript branch May 30, 2018
NejcZdovc pushed a commit that referenced this pull request Dec 10, 2018
Jason Sadler
Autocontribute monthly values other than defaults are now added
cezaraugusto pushed a commit that referenced this pull request Jul 10, 2019
Adds styled components names into class names
NejcZdovc added a commit that referenced this pull request Sep 18, 2019
Adds styled components names into class names
NejcZdovc added a commit that referenced this pull request Sep 19, 2019
Adds styled components names into class names
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.