Root Cause

HTML Imports polyfill uses setAttribute('src', 'data:text/javascript;...') html-imports
Hooked native API (hook.hookElement) checks setAttribute('src', value) against .mjs and .js extensions
Thus, Firefox's data:text/javascript URIs originated from inline scripts are dropped

Notes

Even if data:text/javascript is property set to the src attribute, scripts are hooked multiple times due to assignments to innerHTML property.

t2ym commented 6 years ago

[NEVER APPLY IT except for ACL verification] Patch to open SECURITY HOLES to temporarily force the web components polyfills to work on Firefox merely for ad-hoc ACL verification

diff --git a/lib/native-wrapper.js b/lib/native-wrapper.js
index 89f1fc3..b4e0aef 100644
--- a/lib/native-wrapper.js
+++ b/lib/native-wrapper.js
@@ -320,7 +320,12 @@ module.exports = function (hook, preprocess) {
               if (_value) {
                 let srcUrl = new URL(_value, 'https://localhost/');
                 if (!srcUrl.pathname.match(/[.]m?js$/)) {
-                  value = ''; // invalid script source path
+                  if (srcUrl.protocol === 'data:' && _value.startsWith('data:text/javascript')) {
+                    console.log('setAttribute("src", "data:text/javascript")');
+                  }
+                  else {
+                    value = ''; // invalid script source path
+                  }
                 }
               }
             }
@@ -353,7 +358,7 @@ module.exports = function (hook, preprocess) {
         enumerable: _nativeMethods.Element.proto.innerHTML.enumerable,
         get: _nativeMethods.Element.proto.innerHTML.get,
         set: function (value) {
-          let processed = preprocess._preprocessHtml(
+          let processed = value.indexOf('__hook__') >= 0 ? value : preprocess._preprocessHtml(
             value,
             hookName,
             new URL(document.location),

Security Holes with this patch

Any HTML containing __hook__ can bypass hooking
Any data:text/javascript URLs for <script src> attribute can bypass hooking

t2ym commented 6 years ago

Issue

hook.parameters.emptySvg XML template with a concrete $location$ value invokes "XML Parse Error" on Firefox

hook.parameters.emptySvg = `<?xml version="1.0"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="1px" height="1px"><script><![CDATA[ location = "$location$"; ]]></script></svg>`;

XML パースエラー: 
URL: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIj8+PCFET0NUWVBFIHN2ZyBQVUJMSUMgIi0vL1czQy8vRFREIFNWRyAxLjEvL0VOIiAiaHR0cDovL3d3dy53My5vcmcvR3JhcGhpY3MvU1ZHLzEuMS9EVEQvc3ZnMTEuZHRkIj48c3ZnIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHZlcnNpb249IjEuMSIgd2lkdGg9IjFweCIgaGVpZ2h0PSIxcHgiPjxzY3JpcHQ+PCFbQ0RBVEFbIGxvY2F0aW9uID0gImh0dHBzOi8vd3d3LmxvY2FsMTYyLm9yZy9jb21wb25lbnRzL3RoaW4taG9vay9kZW1vL2lubGluZS1zY3JpcHQuc3ZnIjsgXV0+PC9zY3JpcHQ+PC9zdmc+
行番号: 1, 列番号: 355:

t2ym / thin-hook

[webcomponentsjs html-imports][Firefox] Inline scripts are lost in HTML imports #182

Root Cause

Notes

[NEVER APPLY IT except for ACL verification] Patch to open SECURITY HOLES to temporarily force the web components polyfills to work on Firefox merely for ad-hoc ACL verification

Security Holes with this patch

Issue