Skip to content

/uBlock

Loading…

New issue

The blocking of inline javascript does not propagate to frames #490

Closed
gorhill opened this Issue · 6 comments

Labels

None yet

Milestone

No milestone

Assignee

No one assigned

2 participants

@gorhill @Deathamns
@gorhill
gorhill commented

I need to use the sandbox directive for embedded frames, just like in uMatrix.

Test page: http://raymondhill.net/httpsb/httpsb-test-js-1.html

@Deathamns
Deathamns commented

If the sandbox directive in HTTP headers behaves same as setting the iframe's sandbox attribute, then it will have a side-effect where it won't load plugins, and there's no way to enable them in sandboxed frames.
Simply sending to iframes the same CSP that is sent for the main_frame wouldn't work?

@gorhill
gorhill commented

Simply sending to iframes the same CSP that is sent for the main_frame wouldn't work?

It has been a while I worked with all this.

It's something I used to do with HTTP Switchboard -- as this is the simplest way. The comment in the code says:

For inline javascript within iframes, we need to sandbox

Guess I will have to try again to find out again why this was not working. There must be a commit in there somewhere related to a bug explaining why it did not work.

Edit: This is the commit where I started to use sandbox instead of reusing same CSP header for subframes as the one for root document.

@Deathamns
Deathamns commented

I'm not sure if I understood the problem, but is it that Content-Security-Policy: script-src 'unsafe-eval' * doesn't work when applied to iframes?

@gorhill
gorhill commented

I will have to try again. It's not clear from the commit why I replaced with sandbox. I suspect I might have been confused at the time about the another problem of inline script not being blocked if it was previously allow to execute (because in mem-cache).

According to this it seems your idea should work fine:

The embedded resource, however, is controlled by the policy delivered with the resource, or the policy of the embedding resource if the embedded resource is a globally unique identifier

@Deathamns
Deathamns commented

Just for the record, I tested it, and setting Content-Security-Policy: script-src 'unsafe-eval' * for sub_document will result "Inline javascript: OFF" in your tests (both in Chrome and Firefox).

@gorhill
gorhill commented

Yes, just got the result myself, it works. (though I had to fix a little problem with the network request result cache). So easy fix, I like it like that.

Edit: Works in FF too, expected, but great to see no complications.

@gorhill gorhill added a commit that closed this issue
@gorhill gorhill this fixes #490 b436f8e
@gorhill gorhill closed this in b436f8e
@AlexVallat AlexVallat pushed a commit to AlexVallat/uBlock that referenced this issue
@gorhill gorhill this fixes #490 9276b99
@AlexVallat AlexVallat pushed a commit to AlexVallat/uBlock that referenced this issue
@gorhill gorhill this completely fixes #490 fa4e3ca
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.