Reinstate isTrusted checks

2025-03-06 01:51:40 -05:00 · 2019-06-14 10:13:19 +01:00 · 2019-06-14 10:13:19 +01:00 · a8e14d9e82
commit a8e14d9e82
parent af36ebc3f5
2 changed files with 23 additions and 15 deletions
--- a/src/commandline_frame.ts
+++ b/src/commandline_frame.ts
@ -144,6 +144,7 @@ let keyEvents = []
 clInput.addEventListener(
    "keydown",
    function(keyevent: KeyboardEvent) {
+        if (!keyevent.isTrusted) return
        keyEvents.push(keyevent)
        let response = keyParser(keyEvents)
        if (response.isMatch) {
--- a/src/content.ts
+++ b/src/content.ts
@ -20,17 +20,23 @@ import {
 // Hook the keyboard up to the controller
 import * as ContentController from "@src/content/controller_content"
 import { getAllDocumentFrames } from "@src/lib/dom"
-window.addEventListener("keydown", ContentController.acceptKey, true)
+
+// Important for security!
+const guardedAcceptKey = (event: KeyboardEvent) => {
+    if (!event.isTrusted) return
+    ContentController.acceptKey(event)
+}
+window.addEventListener("keydown", guardedAcceptKey, true)
 document.addEventListener("readystatechange", ev =>
    getAllDocumentFrames().map(frame => {
        frame.contentWindow.removeEventListener(
            "keydown",
-            ContentController.acceptKey,
+            guardedAcceptKey,
            true,
        )
        frame.contentWindow.addEventListener(
            "keydown",
-            ContentController.acceptKey,
+            guardedAcceptKey,
            true,
        )
    }),
@ -152,10 +158,12 @@ config.getAsync("modeindicator").then(mode => {

    // This listener makes the modeindicator disappear when the mouse goes over it
    statusIndicator.addEventListener("mouseenter", ev => {
+        if (!ev.isTrusted) return
        let target = ev.target as any
        let rect = target.getBoundingClientRect()
        target.classList.add("TridactylInvisible")
        let onMouseOut = ev => {
+            if (!ev.isTrusted) return
            // If the mouse event happened out of the mode indicator boundaries
            if (
                ev.clientX < rect.x ||
@ -221,26 +229,25 @@ config.getAsync("modeindicator").then(mode => {
 // Site specific fix for / on GitHub.com
 config.getAsync("leavegithubalone").then(v => {
    if (v == "true") return
+
+    const slashsuppressor = (e) => {
+        if (!e.isTrusted) return
+        if ("/".indexOf(e.key) != -1 && contentState.mode == "normal") {
+            e.cancelBubble = true
+            e.stopImmediatePropagation()
+        }
+    }
+
    try {
        // On quick loading pages, the document is already loaded
        // if (document.location.host == "github.com") {
-        document.body.addEventListener("keydown", function(e) {
-            if ("/".indexOf(e.key) != -1 && contentState.mode == "normal") {
-                e.cancelBubble = true
-                e.stopImmediatePropagation()
-            }
-        })
+        document.body.addEventListener("keydown", slashsuppressor)
        // }
    } catch (e) {
        // But on slower pages we wait for the document to load
        window.addEventListener("DOMContentLoaded", () => {
            // if (document.location.host == "github.com") {
-            document.body.addEventListener("keydown", function(e) {
-                if ("/".indexOf(e.key) != -1 && contentState.mode == "normal") {
-                    e.cancelBubble = true
-                    e.stopImmediatePropagation()
-                }
-            })
+            document.body.addEventListener("keydown", slashsuppressor)
            // }
        })
    }