Fix potential exfiltration of browsing history by a rogue list author…

… through permissions= As with `csp=` option, reporting capabilities need to be taken into account with `permissions=` option. Reference: https://github.com/w3c/webappsec-permissions-policy/blob/main/reporting.md This commit ensures that `permissions=` option using `report-to` are marked as invalid.
gorhill · Feb 13, 2024 · 7b138b5 · 7b138b5
1 parent 3037ae5
commit 7b138b5
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/js/static-filtering-parser.js b/src/js/static-filtering-parser.js
@@ -897,6 +897,7 @@ export class AstFilterParser {
  this.rePatternScriptletJsonArgs = /^\{.*\}$/;
  this.reGoodRegexToken = /[^\x01%0-9A-Za-z][%0-9A-Za-z]{7,}|[^\x01%0-9A-Za-z][%0-9A-Za-z]{1,6}[^\x01%0-9A-Za-z]/;
  this.reBadCSP = /(?:^|;)\s*report-(?:to|uri)\b/i;
+ this.reBadPP = /(?:^|;)\s*report-to\b/i;
  this.reNoopOption = /^_+$/;
  this.scriptletArgListParser = new ArgListParser(',');
  }
@@ -1400,7 +1401,11 @@ export class AstFilterParser {
  realBad = this.isRegexPattern() === false;
  break;
  case NODE_TYPE_NET_OPTION_NAME_PERMISSIONS:
- realBad = modifierType !== 0 || (hasValue || isException) === false;
+ realBad = modifierType !== 0 ||
+ (hasValue || isException) === false ||
+ this.reBadPP.test(
+ this.getNetOptionValue(NODE_TYPE_NET_OPTION_NAME_PERMISSIONS)
+ );
  if ( realBad ) { break; }
  modifierType = type;
  break;