[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LibreJS seems to ignore query strings
From: |
Yuchen Pei |
Subject: |
Re: LibreJS seems to ignore query strings |
Date: |
Thu, 10 Nov 2022 12:44:45 +1100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hello,
Thanks for the detailed report.
On Tue 2022-11-08 17:07:18 -0600, Jacob K wrote:
> Hello,
>
> I noticed a problem with the way LibreJS displays some script links.
> LibreJS does not include the query string (the part after the '?') when
> presenting links, which means the script you click on in LibreJS could
> be different from the script that actually would be executed. For
> example, on this page for sample ballots [1], you will see a script at
> [2] listed in LibreJS, but when you click on that link, you will get a
> 404 error page. If you view the HTML source of the page [3] and ctrl+F
> for "WebResource", you will see that there is a corresponding script tag
> that should include
> "?d=MNJoMkNhH6PXyoAVyephgc5zG0Kl3XENDyBeYod5KBRwslKU_pr2SCPr4zAZ53jiLf6hyOkI2Z1aLd0nedPpQ5sN6ILFmouLh4mOzmCwTIU1&t=637814437746327080"
> after the part of the URL that LibreJS shows.
>
> I looked for previous discussion about this, but I could not find any.
>
> It seems that LibreJS should show the query string also, but I suppose
> there could be a link that updates with every refresh, despite pointing
> to the same script text, so I'm not sure what the best way to handle
> this is.
>
> When the URL without the query string is a 404 or an empty script, this
> problem is mostly a matter of convenience, but I imagine there could be
> a problem where, if LibreJS is ignoring query strings completely (and
> I'm not sure that it is), then a page could serve a free non-malicious
> script when there is no query string, but serve a nonfree or malicious
> script when there is a particular query string. There are surely other
> ways for webpages to trick people into running malware [4], so maybe
> this is not such a big deal.
LibreJS removes the query part of a script url as a preprocessing in
most (if not all) functions handling scripts. This means if you
whitelist https://foo.com/bar.js, https://foo.com/bar.js?blah is also
let through. OTOH without such whitelisting,
https://foo.com/bar.js?blah is blocked as usual if it is not labelled.
This is because the response processor checks the external script and
rewrites it to /* LibreJS: script blocked ... */.
I suspect the reason for discarding the query part is to avoid having to
whitelist all possible query strings which can be tedious. Perhaps a
better approach is to refine the whitelisting facility to allow patterns
like globbing and regexes.
>
> Ideally, I think LibreJS should store checksums of scripts, but it seems
> like it only does this for inline scripts currently?
LibreJS does use hashes of scripts, but only in the built-in whiltelist
(see /utilities/hash_script/whitelist).
Best,
Yuchen
--
PGP Key: 47F9 D050 1E11 8879 9040 4941 2126 7E93 EF86 DFD0
<https://ypei.org/assets/ypei-pubkey.txt>
signature.asc
Description: PGP signature