Error when importing a cross-domain stylesheet with relative path

[mlgualtieri]

When loading a cross-domain imported stylesheet referenced by a relative path (vs a full URL) the plugin attempts to grab the incorrect URL for sanitization.

Example: Website: test[.]com Stylesheet imported from css[.]test[.]com

This produces the error: @import url("/css/styles.css");

This works OK: @import url("https://css[.]test[.]com/css/styles.css");

Bug Ref: https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/reviews/1367016/

[mlgualtieri]

These lines in content.js: getCrossDomainCSS() cause relative imported cross-domain CSS to load in error.

These lines retrieve the parent CSS and append it to the current page, so the rules can be analyzed. In the case of a relative import, the browser thinks the relative path should be pulled from the current domain and pulls the imported URL's in error.

            // Create stylesheet from remote CSS
            var sheet = document.createElement('style');
            sheet.innerText = xhr.responseText;
            document.head.appendChild(sheet);

[mlgualtieri]

Something like this may fix the issue, although I'm not sure text parsing is the best solution:

            var sheet = document.createElement('style');

            var _a = document.createElement("a");
            _a.href = url;
            var _pathname = _a.pathname.substring(0, _a.pathname.lastIndexOf('/')) + "/";
            var path = _a.origin + _pathname +"/";

            var replaced = xhr.responseText.replace( /@import url\("/g, '@import url("'+ path );
            sheet.innerText = replaced;
            document.head.appendChild(sheet);

[mlgualtieri]

It looks like the only way to handle this is with some text parsing. I've enhanced the code block and believe it works well. I'm testing it a bit more in Chrome right now. Will port over to Firefox when I'm sure it's working OK, and will release asap.

[mlgualtieri]

Fixed with version 1.0.14