Hello, Thanks for the detailed report. On Tue 2022-11-08 17:07:18 -0600, Jacob K wrote:
> Hello, > > I noticed a problem with the way LibreJS displays some script links. > LibreJS does not include the query string (the part after the '?') when > presenting links, which means the script you click on in LibreJS could > be different from the script that actually would be executed. For > example, on this page for sample ballots [1], you will see a script at > [2] listed in LibreJS, but when you click on that link, you will get a > 404 error page. If you view the HTML source of the page [3] and ctrl+F > for "WebResource", you will see that there is a corresponding script tag > that should include > "?d=MNJoMkNhH6PXyoAVyephgc5zG0Kl3XENDyBeYod5KBRwslKU_pr2SCPr4zAZ53jiLf6hyOkI2Z1aLd0nedPpQ5sN6ILFmouLh4mOzmCwTIU1&t=637814437746327080" > after the part of the URL that LibreJS shows. > > I looked for previous discussion about this, but I could not find any. > > It seems that LibreJS should show the query string also, but I suppose > there could be a link that updates with every refresh, despite pointing > to the same script text, so I'm not sure what the best way to handle > this is. > > When the URL without the query string is a 404 or an empty script, this > problem is mostly a matter of convenience, but I imagine there could be > a problem where, if LibreJS is ignoring query strings completely (and > I'm not sure that it is), then a page could serve a free non-malicious > script when there is no query string, but serve a nonfree or malicious > script when there is a particular query string. There are surely other > ways for webpages to trick people into running malware [4], so maybe > this is not such a big deal. LibreJS removes the query part of a script url as a preprocessing in most (if not all) functions handling scripts. This means if you whitelist https://foo.com/bar.js, https://foo.com/bar.js?blah is also let through. OTOH without such whitelisting, https://foo.com/bar.js?blah is blocked as usual if it is not labelled. This is because the response processor checks the external script and rewrites it to /* LibreJS: script blocked ... */. I suspect the reason for discarding the query part is to avoid having to whitelist all possible query strings which can be tedious. Perhaps a better approach is to refine the whitelisting facility to allow patterns like globbing and regexes. > > Ideally, I think LibreJS should store checksums of scripts, but it seems > like it only does this for inline scripts currently? LibreJS does use hashes of scripts, but only in the built-in whiltelist (see /utilities/hash_script/whitelist). Best, Yuchen -- PGP Key: 47F9 D050 1E11 8879 9040 4941 2126 7E93 EF86 DFD0 <https://ypei.org/assets/ypei-pubkey.txt>
signature.asc
Description: PGP signature
