hiro/tridactyl
1
0
Fork 0
mirror of https://github.com/vale981/tridactyl synced 2025-03-05 09:31:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove set csp clobber

Browse source 
This just removes the background.ts code that detects whether the user
wants to clobber their csp and adds an error message if the user tries
to `set csp clobber`.
The `csp` setting is marked as deprecated but left untouched in case we
find a way to edit CSP in a way that complies with Mozilla's policies.
The csp-editing code in `requests.ts` is left untouched for the same
reason.
This commit is contained in:
glacambre 2019-10-02 10:15:40 +02:00
parent 824f33223b
commit a4040102f5
No known key found for this signature in database
GPG key ID: B9625DB1767553AC
6 changed files with 9 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.tridactylrc
View file

@ -107,7 +107,6 @@ command fixamo js tri.excmds.setpref("privacy.resistFingerprinting.block_mozAddo
" Make Tridactyl work on more sites at the expense of some security. For " Make Tridactyl work on more sites at the expense of some security. For
" details, read the comment at the top of this file. " details, read the comment at the top of this file.
set csp clobber
fixamo_quiet fixamo_quiet
" Make quickmarks for the sane Tridactyl issue view " Make quickmarks for the sane Tridactyl issue view

4
contributing.md
View file

@ -87,7 +87,7 @@ Here's an example: you're writing the [`native()`](https://github.com/tridactyl/
- math.ts: Math stuff. - math.ts: Math stuff.
- messaging.ts: Implementation of Tridactyl's messaging functions (attributeCaller, message, messageTab, messageOwnTab...). - messaging.ts: Implementation of Tridactyl's messaging functions (attributeCaller, message, messageTab, messageOwnTab...).
- native.ts: Wrappers around Firefox's native messaging API. Also has "higher-level" functions that interact with the native messenger (finding the user's favorite editor, reading/setting preferences...). - native.ts: Wrappers around Firefox's native messaging API. Also has "higher-level" functions that interact with the native messenger (finding the user's favorite editor, reading/setting preferences...).
- requests.ts: CSP-clobbering code. - requests.ts: CSP-clobbering code. Not used anymore.
- text_to_speech.ts: Various wrappers around Firefox's TTS APIs. - text_to_speech.ts: Various wrappers around Firefox's TTS APIs.
- url_util.ts: Url incrementation, query-extraction, interpolation. - url_util.ts: Url incrementation, query-extraction, interpolation.
- webext.ts: Wrappers around Firefox's APIs (activeTab(), ownTab()...). - webext.ts: Wrappers around Firefox's APIs (activeTab(), ownTab()...).
@ -95,7 +95,7 @@ Here's an example: you're writing the [`native()`](https://github.com/tridactyl/
### src/ ### src/
- background.ts: Entry point of Tridactyl's background script. Deals with various things that didn't deserve their own file when they were implemented: autocommands, autocontainers, CSP hijacking... - background.ts: Entry point of Tridactyl's background script. Deals with various things that didn't deserve their own file when they were implemented: autocommands, autocontainers...
- commandline_frame.ts: Entry point of the command line. Sets up various event listeners and updates completions when needed. - commandline_frame.ts: Entry point of the command line. Sets up various event listeners and updates completions when needed.
- completions/\*.ts: All completion sources available to Tridactyl. Imported by commandline_frame.ts - completions/\*.ts: All completion sources available to Tridactyl. Imported by commandline_frame.ts
- completions.ts: Scaffolding used by completion sources in the "completions" folder. - completions.ts: Scaffolding used by completion sources in the "completions" folder.

1
doc/troubleshooting.md
View file

@ -5,7 +5,6 @@ If changing one of these settings fixes your bug, please visit the corresponding
- `:seturl $URL_OF_THE_WEBSITE noiframe true` and then reload the page. This disables the Tridactyl commandline on a specific url. [#639](https://github.com/tridactyl/tridactyl/issues/639) - `:seturl $URL_OF_THE_WEBSITE noiframe true` and then reload the page. This disables the Tridactyl commandline on a specific url. [#639](https://github.com/tridactyl/tridactyl/issues/639)
- `:set allowautofocus true` and then reload the page. This allows website to use the javascript `focus()` function. [#550](https://github.com/tridactyl/tridactyl/issues/550) - `:set allowautofocus true` and then reload the page. This allows website to use the javascript `focus()` function. [#550](https://github.com/tridactyl/tridactyl/issues/550)
- `:set modeindicator false` and then reload the page. This disables the mode indicator. [#821](https://github.com/tridactyl/tridactyl/issues/821) - `:set modeindicator false` and then reload the page. This disables the mode indicator. [#821](https://github.com/tridactyl/tridactyl/issues/821)
- `:get csp`. If the value returned is "untouched", try `:set csp clobber`. If the value is "clobber", try `:set csp untouched`. In both cases, please reload the page. This disables (or prevents disabling) some security settings of the page. [#109](https://github.com/tridactyl/tridactyl/issues/109)
# Native Editor/Messenger issues # Native Editor/Messenger issues

27
src/background.ts
View file

@ -77,33 +77,6 @@ browser.tabs.onActivated.addListener(ev => {
}) })
}) })
// {{{ Clobber CSP
// This should be removed once https://bugzilla.mozilla.org/show_bug.cgi?id=1267027 is fixed
function addCSPListener() {
browser.webRequest.onHeadersReceived.addListener(
request.clobberCSP,
{ urls: ["<all_urls>"], types: ["main_frame"] },
["blocking", "responseHeaders"],
)
}
function removeCSPListener() {
browser.webRequest.onHeadersReceived.removeListener(request.clobberCSP)
}
config.getAsync("csp").then(csp => csp === "clobber" && addCSPListener())
config.addChangeListener("csp", (old, cur) => {
if (cur === "clobber") {
addCSPListener()
} else {
removeCSPListener()
}
})
// }}}
// Prevent Tridactyl from being updated while it is running in the hope of fixing #290 // Prevent Tridactyl from being updated while it is running in the hope of fixing #290
browser.runtime.onUpdateAvailable.addListener(_ => undefined) browser.runtime.onUpdateAvailable.addListener(_ => undefined)

6
src/excmds.ts
View file

@ -3280,6 +3280,12 @@ export function set(key: string, ...values: string[]) {
throw "Warning: `noiframeon $url1 $url2` has been deprecated in favor of `:seturl $url1 noiframe true`. The right seturl calls have been made for you but from now on please use `:seturl`." throw "Warning: `noiframeon $url1 $url2` has been deprecated in favor of `:seturl $url1 noiframe true`. The right seturl calls have been made for you but from now on please use `:seturl`."
} }
if (key === "csp" && values[0] === "clobber") {
const msg = "#Error: Mozilla asked us to remove our csp-clobbering code. See https://github.com/tridactyl/tridactyl/issues/1800"
fillcmdline_tmp(3000, msg)
throw msg
}
return config.set(...validateSetArgs(key, values)) return config.set(...validateSetArgs(key, values))
} }

1
src/lib/config.ts
View file

@ -900,6 +900,7 @@ export class default_config {
minincsearchlen = 3 minincsearchlen = 3
/** /**
* Deprecated.
* Change this to "clobber" to ruin the "Content Security Policy" of all sites a bit and make Tridactyl run a bit better on some of them, e.g. raw.github* * Change this to "clobber" to ruin the "Content Security Policy" of all sites a bit and make Tridactyl run a bit better on some of them, e.g. raw.github*
*/ */
csp: "untouched" | "clobber" = "untouched" csp: "untouched" | "clobber" = "untouched"