Fix application of multiple userscripts

Add flag to enable evals in userscripts Add script name in log
2021-12-13 17:37:10 +01:00 · 2021-12-13 17:37:10 +01:00 · b9bdb101d2
commit b9bdb101d2
parent 685105abc9
1 changed files with 75 additions and 48 deletions
--- a/build/patches/Experimental-user-scripts-support.patch
+++ b/build/patches/Experimental-user-scripts-support.patch
@ -20,6 +20,10 @@ document-idle), homepage, url_source

 The UI also allows you to see the source of the script.

+Fix application of multiple userscripts
+Add flag to enable evals in userscripts
+Add script name in log
+
 See also: components/user_scripts/README.md
 ---
 chrome/android/BUILD.gn                       |   5 +
@ -28,10 +32,10 @@ See also: components/user_scripts/README.md
 .../init/ProcessInitializationHandler.java    |   3 +
 chrome/android/java_sources.gni               |   3 +
 chrome/browser/BUILD.gn                       |   5 +
- chrome/browser/about_flags.cc                 |   5 +
+ chrome/browser/about_flags.cc                 |   8 +
 .../browser/chrome_content_browser_client.cc  |   3 +-
- chrome/browser/flag_descriptions.cc           |   5 +
- chrome/browser/flag_descriptions.h            |   3 +
+ chrome/browser/flag_descriptions.cc           |   9 +
+ chrome/browser/flag_descriptions.h            |   5 +
 chrome/browser/prefs/browser_prefs.cc         |   2 +
 chrome/browser/profiles/BUILD.gn              |   1 +
 ...hrome_browser_main_extra_parts_profiles.cc |   3 +
@ -72,7 +76,7 @@ See also: components/user_scripts/README.md
 .../user-script-ui/user-scripts-ui.js         |   9 +
 .../browser/ui/user_scripts_ui.cc             | 148 ++++
 .../user_scripts/browser/ui/user_scripts_ui.h |  39 +
- .../browser/user_script_loader.cc             | 721 ++++++++++++++++
+ .../browser/user_script_loader.cc             | 714 ++++++++++++++++
 .../user_scripts/browser/user_script_loader.h | 170 ++++
 .../browser/user_script_pref_info.cc          |  34 +
 .../browser/user_script_pref_info.h           |  72 ++
@ -95,10 +99,10 @@ See also: components/user_scripts/README.md
 components/user_scripts/common/url_pattern.h  | 302 +++++++
 .../user_scripts/common/url_pattern_set.cc    | 334 ++++++++
 .../user_scripts/common/url_pattern_set.h     | 161 ++++
- components/user_scripts/common/user_script.cc | 317 +++++++
+ components/user_scripts/common/user_script.cc | 325 +++++++
 components/user_scripts/common/user_script.h  | 403 +++++++++
- .../common/user_scripts_features.cc           |  32 +
- .../common/user_scripts_features.h            |  34 +
+ .../common/user_scripts_features.cc           |  35 +
+ .../common/user_scripts_features.h            |  35 +
 components/user_scripts/common/view_type.cc   |  39 +
 components/user_scripts/common/view_type.h    |  48 ++
 components/user_scripts/renderer/BUILD.gn     |  67 ++
@ -121,7 +125,7 @@ See also: components/user_scripts/README.md
 .../user_scripts/renderer/scripts_run_info.h  |  70 ++
 .../renderer/user_script_injector.cc          | 228 +++++
 .../renderer/user_script_injector.h           |  87 ++
- .../user_scripts/renderer/user_script_set.cc  | 259 ++++++
+ .../user_scripts/renderer/user_script_set.cc  | 262 ++++++
 .../user_scripts/renderer/user_script_set.h   | 102 +++
 .../renderer/user_script_set_manager.cc       |  77 ++
 .../renderer/user_script_set_manager.h        |  62 ++
@ -129,11 +133,11 @@ See also: components/user_scripts/README.md
 .../renderer/user_scripts_dispatcher.h        |  48 ++
 .../renderer/user_scripts_renderer_client.cc  | 105 +++
 .../renderer/user_scripts_renderer_client.h   |  36 +
- .../renderer/web_ui_injection_host.cc         |  40 +
+ .../renderer/web_ui_injection_host.cc         |  48 ++
 .../renderer/web_ui_injection_host.h          |  28 +
 .../strings/userscripts_strings.grdp          |  55 ++
 tools/gritsettings/resource_ids.spec          |   6 +
- 111 files changed, 9579 insertions(+), 2 deletions(-)
+ 111 files changed, 9604 insertions(+), 2 deletions(-)
 create mode 100644 components/user_scripts/README.md
 create mode 100755 components/user_scripts/android/BUILD.gn
 create mode 100644 components/user_scripts/android/java/res/layout/accept_script_item.xml
@ -345,13 +349,16 @@ diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
 #include "components/version_info/version_info.h"
 #include "components/viz/common/features.h"
 #include "components/viz/common/switches.h"
-@@ -6528,6 +6529,10 @@ const FeatureEntry kFeatureEntries[] = {
+@@ -6528,6 +6529,13 @@ const FeatureEntry kFeatureEntries[] = {
      FEATURE_VALUE_TYPE(features::kUserDataSnapshot)},
 #endif
 
 +    {"enable-userscripts-log", flag_descriptions::kEnableLoggingUserScriptsName,
 +     flag_descriptions::kEnableLoggingUserScriptsDescription, kOsDesktop | kOsAndroid,
 +     FEATURE_VALUE_TYPE(user_scripts::features::kEnableLoggingUserScripts)},
+    {"enable-userscripts-usafe-eval", flag_descriptions::kEnableUnsafeEvalUserScriptsName,
+     flag_descriptions::kEnableUnsafeEvalUserScriptsDescription, kOsDesktop | kOsAndroid,
+     FEATURE_VALUE_TYPE(user_scripts::features::kEnableUnsafeEvalUserScripts)},
 +
 #if defined(OS_WIN)
     {"run-video-capture-service-in-browser",
@ -372,7 +379,7 @@ diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/ch
 diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
 --- a/chrome/browser/flag_descriptions.cc
 +++ b/chrome/browser/flag_descriptions.cc
-@@ -5393,6 +5393,11 @@ const char kUserDataSnapshotDescription[] =
+@@ -5393,6 +5393,15 @@ const char kUserDataSnapshotDescription[] =
     "update and restoring them after a version rollback.";
 #endif  // !defined(OS_ANDROID) && !BUILDFLAG(IS_CHROMEOS_ASH)
 
@ -380,6 +387,10 @@ diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descripti
 +const char kEnableLoggingUserScriptsDescription[] =
 +    "Enables logging for troubleshooting feature. "
 +    "Enabling logs may make browsing slower.";
+
+const char kEnableUnsafeEvalUserScriptsName[] = "Enable CSP usafe-eval in user scripts";
+const char kEnableUnsafeEvalUserScriptsDescription[] =
+    "Enables unsafe-eval in user scripts, by adding unsafe-eval in the default CSP.";
 +
 #if defined(OS_WIN) || defined(OS_CHROMEOS) || defined(OS_MAC)
 const char kWebShareName[] = "Web Share";
@ -387,12 +398,14 @@ diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descripti
 diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
 --- a/chrome/browser/flag_descriptions.h
 +++ b/chrome/browser/flag_descriptions.h
-@@ -3132,6 +3132,9 @@ extern const char kUserDataSnapshotName[];
+@@ -3132,6 +3132,11 @@ extern const char kUserDataSnapshotName[];
 extern const char kUserDataSnapshotDescription[];
 #endif  // !defined(OS_ANDROID) && !BUILDFLAG(IS_CHROMEOS_ASH)
 
 +extern const char kEnableLoggingUserScriptsName[];
 +extern const char kEnableLoggingUserScriptsDescription[];
+extern const char kEnableUnsafeEvalUserScriptsName[];
+extern const char kEnableUnsafeEvalUserScriptsDescription[];
 +
 #if defined(OS_WIN) || defined(OS_CHROMEOS) || defined(OS_MAC)
 extern const char kWebShareName[];
@ -2833,7 +2846,7 @@ diff --git a/components/user_scripts/browser/user_script_loader.cc b/components/
 new file mode 100755
 --- /dev/null
 +++ b/components/user_scripts/browser/user_script_loader.cc
-@@ -0,0 +1,721 @@
+@@ -0,0 +1,714 @@
 +/*
 +    This file is part of Bromite.
 +
@ -2895,6 +2908,7 @@ new file mode 100755
 +#include "file_task_runner.h"
 +#include "user_script_prefs.h"
 +#include "user_script_pref_info.h"
+#include "../common/host_id.h"
 +
 +using content::BrowserThread;
 +using content::BrowserContext;
@ -2924,16 +2938,6 @@ new file mode 100755
 +static const base::StringPiece kParserError("// @error");
 +static const base::StringPiece kForceDisabled("// @disabled");
 +
-+bool invalidChar(unsigned char c)
-+{
-+  return !(c>=0 && c <128);
-+}
-+
-+void stripUnicode(std::string& str)
-+{
-+  str.erase(remove_if(str.begin(),str.end(), invalidChar), str.end());
-+}
-+
 +// Helper function to parse greasesmonkey headers
 +bool GetDeclarationValue(const base::StringPiece& line,
 +                         const base::StringPiece& prefix,
@ -3101,13 +3105,12 @@ new file mode 100755
 +      return false;
 +    }
 +
+    script->set_name(user_script_path.BaseName().value());
 +    script->set_match_origin_as_fallback(MatchOriginAsFallbackBehavior::kNever);
 +
-+    // remove unicode chars and set content into File
-+    stripUnicode(content);
 +    std::unique_ptr<UserScript::File> file(new UserScript::File());
 +    file->set_content(content);
-+    file->set_url(GURL(/*script_key*/ "script.js")); // name doesn't matter
+    file->set_url(GURL(base::StrCat({"https://userscripts/file/", script->name(), ".js"})));
 +
 +    // create SHA256 of file
 +    char raw[crypto::kSHA256Length] = {0};
@ -3157,6 +3160,9 @@ new file mode 100755
 +  base::FilePath full_name;
 +  while (full_name = dir_enum.Next(), !full_name.empty()) {
 +    std::unique_ptr<UserScript> userscript(new UserScript());
+    userscript->set_id(UserScript::GenerateUserScriptID());
+    userscript->set_host_id(HostID(HostID::HostType::EXTENSIONS,
+      "_" + base::NumberToString(userscript->id())));
 +
 +    std::u16string error;
 +    bool found_metadata;
@ -6424,7 +6430,7 @@ diff --git a/components/user_scripts/common/user_script.cc b/components/user_scr
 new file mode 100755
 --- /dev/null
 +++ b/components/user_scripts/common/user_script.cc
-@@ -0,0 +1,317 @@
+@@ -0,0 +1,325 @@
 +// Copyright 2013 The Chromium Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style license that can be
 +// found in the LICENSE file.
@ -6532,6 +6538,12 @@ new file mode 100755
 +}
 +
 +bool UserScript::MatchesURL(const GURL& url) const {
+  // exclude schemas not valid
+  URLPattern pattern(kValidUserScriptSchemes);
+  pattern.Parse(url.spec());
+  if (!pattern.IsValidScheme(pattern.scheme()))
+    return false;
+
 +  if (!url_set_.is_empty()) {
 +    if (!url_set_.MatchesURL(url)) {
 +      if (base::FeatureList::IsEnabled(features::kEnableLoggingUserScripts))
@ -6593,6 +6605,7 @@ new file mode 100755
 +  // Write the simple types to the pickle.
 +  pickle->WriteInt(run_location());
 +  pickle->WriteInt(user_script_id_);
+  pickle->WriteString(name_);
 +  pickle->WriteBool(emulate_greasemonkey());
 +  pickle->WriteBool(match_all_frames());
 +  pickle->WriteInt(static_cast<int>(match_origin_as_fallback()));
@ -6648,6 +6661,7 @@ new file mode 100755
 +  run_location_ = static_cast<RunLocation>(run_location);
 +
 +  CHECK(iter->ReadInt(&user_script_id_));
+  CHECK(iter->ReadString(&name_));
 +  CHECK(iter->ReadBool(&emulate_greasemonkey_));
 +  CHECK(iter->ReadBool(&match_all_frames_));
 +  int match_origin_as_fallback_int = 0;
@ -7154,7 +7168,7 @@ diff --git a/components/user_scripts/common/user_scripts_features.cc b/component
 new file mode 100644
 --- /dev/null
 +++ b/components/user_scripts/common/user_scripts_features.cc
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,35 @@
 +/*
 +    This file is part of Bromite.
 +
@ -7184,15 +7198,17 @@ new file mode 100644
 +                                        {"EnableLoggingUserScripts",
 +                                          base::FEATURE_DISABLED_BY_DEFAULT};
 +
+const base::Feature kEnableUnsafeEvalUserScripts =
+                                        {"EnableUsafeEvalUserScripts",
+                                          base::FEATURE_DISABLED_BY_DEFAULT};
 +}
 +
 +}
-\ No newline at end of file
 diff --git a/components/user_scripts/common/user_scripts_features.h b/components/user_scripts/common/user_scripts_features.h
 new file mode 100644
 --- /dev/null
 +++ b/components/user_scripts/common/user_scripts_features.h
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,35 @@
 +/*
 +    This file is part of Bromite.
 +
@ -7222,12 +7238,12 @@ new file mode 100644
 +
 +namespace features {
 +    extern const base::Feature kEnableLoggingUserScripts;
+    extern const base::Feature kEnableUnsafeEvalUserScripts;
 +}
 +
 +}
 +
 +#endif
-\ No newline at end of file
 diff --git a/components/user_scripts/common/view_type.cc b/components/user_scripts/common/view_type.cc
 new file mode 100755
 --- /dev/null
@ -9712,7 +9728,7 @@ diff --git a/components/user_scripts/renderer/user_script_set.cc b/components/us
 new file mode 100755
 --- /dev/null
 +++ b/components/user_scripts/renderer/user_script_set.cc
-@@ -0,0 +1,259 @@
+@@ -0,0 +1,262 @@
 +// Copyright 2014 The Chromium Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style license that can be
 +// found in the LICENSE file.
@ -9912,17 +9928,20 @@ new file mode 100755
 +                                        std::move(injection_host), run_location,
 +                                        log_activity));
 +    if (base::FeatureList::IsEnabled(features::kEnableLoggingUserScripts))
-+      LOG(INFO) << "UserScripts: Match name=" << script->name() << " " <<
-+                                         "url=" << effective_document_url.spec();
+      LOG(INFO) << "UserScripts: Match name=" << script->name() <<
+                                      " id=" << script->host_id().id() <<
+                                      " url=" << effective_document_url.spec();
 +  } else {
 +    if (base::FeatureList::IsEnabled(features::kEnableLoggingUserScripts)) {
 +      if (script->run_location() != run_location)
 +        LOG(INFO) << "UserScripts: run location for name=" << script->name() <<
-+                                        "current " << run_location << " " <<
-+                                        "need " << script->run_location();
+                                      " id=" << script->host_id().id() <<
+                                      " current " << run_location <<
+                                      " need " << script->run_location();
 +      else
-+        LOG(INFO) << "UserScripts: Match but no run name=" << script->name() << " " <<
-+                                        "url=" << effective_document_url.spec();
+        LOG(INFO) << "UserScripts: Match but no run name=" << script->name() <<
+                                      " id=" << script->host_id().id() <<
+                                      " url=" << effective_document_url.spec();
 +    }
 +  }
 +  return injection;
@ -10483,19 +10502,23 @@ diff --git a/components/user_scripts/renderer/web_ui_injection_host.cc b/compone
 new file mode 100755
 --- /dev/null
 +++ b/components/user_scripts/renderer/web_ui_injection_host.cc
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,48 @@
 +// Copyright 2015 The Chromium Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style license that can be
 +// found in the LICENSE file.
 +
 +#include "web_ui_injection_host.h"
 +#include "base/no_destructor.h"
+#include "../common/user_scripts_features.h"
 +
 +namespace {
 +
 +// The default secure CSP to be used in order to prevent remote scripts.
 +const char kDefaultSecureCSP[] = "script-src 'self'; object-src 'self';";
 +
+// With unsafe-eval.
+const char kDefaultUnsafeEvalCSP[] = "script-src 'self'; object-src 'self'; unsafe-eval;";
+
 +}
 +
 +WebUIInjectionHost::WebUIInjectionHost(const HostID& host_id)
@ -10507,14 +10530,18 @@ new file mode 100755
 +}
 +
 +const std::string* WebUIInjectionHost::GetContentSecurityPolicy() const {
-+  // Use the main world CSP.
-+  // return nullptr;
-+
-+  // The isolated world will use its own CSP which blocks remotely hosted
-+  // code.
-+  static const base::NoDestructor<std::string> default_isolated_world_csp(
-+      kDefaultSecureCSP);
-+  return default_isolated_world_csp.get();
+  if (base::FeatureList::IsEnabled(user_scripts::features::kEnableUnsafeEvalUserScripts)) {
+    // Allow use of evals.
+    static const base::NoDestructor<std::string> default_isolated_world_csp(
+        kDefaultUnsafeEvalCSP);
+    return default_isolated_world_csp.get();
+  } else {
+    // The isolated world will use its own CSP which blocks remotely hosted
+    // code.
+    static const base::NoDestructor<std::string> default_isolated_world_csp(
+        kDefaultSecureCSP);
+    return default_isolated_world_csp.get();
+  }
 +}
 +
 +const GURL& WebUIInjectionHost::url() const {