Greasemonkey: restrict page schemes that scripts can run on

Scripts shouldn't run on qute://settings or source:// etc. Whitelist from: https://wiki.greasespot.net/Include_and_exclude_rules
2017-11-05 16:36:09 +13:00 · 2017-11-05 16:36:09 +13:00 · 41035cb5ca
commit 41035cb5ca
parent 799730f686
1 changed files with 6 additions and 0 deletions
--- a/qutebrowser/browser/greasemonkey.py
+++ b/qutebrowser/browser/greasemonkey.py
@ -226,6 +226,10 @@ class GreasemonkeyManager(QObject):
    """

    scripts_reloaded = pyqtSignal()
+    # https://wiki.greasespot.net/Include_and_exclude_rules#Greaseable_schemes
+    # Limit the schemes scripts can run on due to unreasonable levels of
+    # exploitability
+    greaseable_schemes = ['http', 'https', 'ftp', 'file']

    def __init__(self, parent=None):
        super().__init__(parent)
@ -273,6 +277,8 @@ class GreasemonkeyManager(QObject):
        returns a tuple of lists of scripts meant to run at (document-start,
        document-end, document-idle)
        """
+        if url.split(':', 1)[0] not in self.greaseable_schemes:
+            return [], [], []
        match = functools.partial(fnmatch.fnmatch, url)
        tester = (lambda script:
                  any([match(pat) for pat in script.includes]) and