From 41035cb5cab72ab3c4acfb06330eab6e7b8f25b4 Mon Sep 17 00:00:00 2001
From: Jimmy <jimmy@spalge.com>
Date: Sun, 5 Nov 2017 16:36:09 +1300
Subject: [PATCH] Greasemonkey: restrict page schemes that scripts can run on

Scripts shouldn't run on qute://settings or source:// etc.

Whitelist from:
https://wiki.greasespot.net/Include_and_exclude_rules
---
 qutebrowser/browser/greasemonkey.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/qutebrowser/browser/greasemonkey.py b/qutebrowser/browser/greasemonkey.py
index 41d32bcf1..4a8d9bdeb 100644
--- a/qutebrowser/browser/greasemonkey.py
+++ b/qutebrowser/browser/greasemonkey.py
@@ -226,6 +226,10 @@ class GreasemonkeyManager(QObject):
     """
 
     scripts_reloaded = pyqtSignal()
+    # https://wiki.greasespot.net/Include_and_exclude_rules#Greaseable_schemes
+    # Limit the schemes scripts can run on due to unreasonable levels of
+    # exploitability
+    greaseable_schemes = ['http', 'https', 'ftp', 'file']
 
     def __init__(self, parent=None):
         super().__init__(parent)
@@ -273,6 +277,8 @@ class GreasemonkeyManager(QObject):
         returns a tuple of lists of scripts meant to run at (document-start,
         document-end, document-idle)
         """
+        if url.split(':', 1)[0] not in self.greaseable_schemes:
+            return [], [], []
         match = functools.partial(fnmatch.fnmatch, url)
         tester = (lambda script:
                   any([match(pat) for pat in script.includes]) and