[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LibreJS seems to ignore query strings
|
From: |
Jacob K |
|
Subject: |
Re: LibreJS seems to ignore query strings |
|
Date: |
Fri, 11 Nov 2022 15:27:41 -0600 |
Hello, thanks for the explanation.
On 11/9/22 19:44, Yuchen Pei wrote:
> Hello,
>
> Thanks for the detailed report.
> On Tue 2022-11-08 17:07:18 -0600, Jacob K wrote:
[...]
>
> LibreJS removes the query part of a script url as a preprocessing in
> most (if not all) functions handling scripts. This means if you
> whitelist https://foo.com/bar.js, https://foo.com/bar.js?blah is also
> let through. OTOH without such whitelisting,
> https://foo.com/bar.js?blah is blocked as usual if it is not labelled.
> This is because the response processor checks the external script and
> rewrites it to /* LibreJS: script blocked ... */.
>
> I suspect the reason for discarding the query part is to avoid having to
> whitelist all possible query strings which can be tedious. Perhaps a
> better approach is to refine the whitelisting facility to allow patterns
> like globbing and regexes.
Would it make sense to generally keep handling query strings the same,
but make the link the user clicks on go to the version with the query
string included (possibly with a warning that there is a query string
and that whitelisting the script will whitelist all query strings)? That
way clicking "Show" next to a script will always take the user to the
currently blocked or running script.
>
>>
>> Ideally, I think LibreJS should store checksums of scripts, but it seems
>> like it only does this for inline scripts currently?
>
> LibreJS does use hashes of scripts, but only in the built-in whiltelist
> (see /utilities/hash_script/whitelist).
>
> Best,
> Yuchen
>
Slightly off-topic, but is there a good system set up to add new scripts
to the internal whitelist? I often see free libraries that are not
recognized by LibreJS, and it seems like a group of motivated users
might be better at labeling them than the library developers, at least
when the library developers do not care about LibreJS.
OpenPGP_0x8EF548378E806320.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature