Restore 3rd party document.cookie block

Auditors: @bbondy Partially fix #3214
brave · Aug 16, 2016 · 92f86e3 · 92f86e3 · bbondy · Aug 17, 2016
1 parent 4df9dfe
commit 92f86e3
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/app/extensions/brave/content/scripts/block3rdPartyContent.js b/app/extensions/brave/content/scripts/block3rdPartyContent.js
@@ -2,6 +2,25 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+/**
+ * Whether this is running in a third-party document.
+ */
+function is3rdPartyDoc () {
+  try {
+    // Try accessing an element that cross-origin frames aren't supposed to
+    window.top.document
+  } catch (e) {
+    if (e.name === 'SecurityError') {
+      return true
+    } else {
+      console.log('got unexpected error accessing window.top.document', e)
+      // Err on the safe side and assume this is a third-party frame
+      return true
+    }
+  }
+  return false
+}
+
 function blockReferer () {
   if (document.referrer) {
     // Blocks cross-origin referer
@@ -13,11 +32,24 @@ function blockReferer () {
   }
 }
 
+function blockCookie () {
+  // Block js cookie storage
+  window.Document.prototype.__defineGetter__('cookie', () => { return '' })
+  window.Document.prototype.__defineSetter__('cookie', () => {})
+}
+
 function getBlockRefererScript () {
   return '(' + Function.prototype.toString.call(blockReferer) + '());'
 }
 
+function getBlockCookieScript () {
+  return '(' + Function.prototype.toString.call(blockCookie) + '());'
+}
+
 if (chrome.contentSettings.referer != 'allow' &&
     document.location.origin && document.location.origin !== 'https://youtube.googleapis.com') {
   executeScript(getBlockRefererScript())
 }
+if (chrome.contentSettings.cookies != 'allow' && is3rdPartyDoc()) {
+  executeScript(getBlockCookieScript())
+}