ignore remote CSS rules that could reveal browser history

For a discussion of the problem see:
http://dbaron.org/mozilla/visited-privacy

2 files changed, 26 insertions, 1 deletions

diff --git a/src/css.cc b/src/css.cc
index c6c74f60..8cf1c8eb 100644
--- a/src/css.cc
+++ b/src/css.cc
@@ -27,6 +27,7 @@ CssPropertyList::CssPropertyList (const CssPropertyList &p, bool deep) :
    lout::misc::SimpleVector <CssProperty> (p)
 {
    refCount = 0;
+   safe = p.safe;
    if (deep) {
       for (int i = 0; i < size (); i++) {
          CssProperty *p = getRef(i);
@@ -58,6 +59,9 @@ void CssPropertyList::set (CssPropertyName name, CssValueType type,
                            CssPropertyValue value) {
    CssProperty *prop;
 
+   if (name == CSS_PROPERTY_DISPLAY || name == CSS_PROPERTY_BACKGROUND_IMAGE)
+      safe = false;
+
    for (int i = 0; i < size (); i++) {
       prop = getRef (i);
 
@@ -169,6 +173,13 @@ void CssSelector::addSimpleSelector (Combinator c) {
    cs->selector = new CssSimpleSelector ();
 }
 
+bool CssSelector::checksPseudoClass () {
+   for (int i = 0; i < selectorList->size (); i++)
+      if (selectorList->getRef (i)->selector->getPseudoClass ())
+         return true;
+   return false;
+}
+
 /**
  * \brief Return the specificity of the selector.
  *
@@ -517,6 +528,13 @@ void CssContext::addRule (CssSelector *sel, CssPropertyList *props,
    if (props->size () > 0) {
       CssRule *rule = new CssRule (sel, props, pos++);
 
-      sheet[order].addRule (rule);
+      if ((order == CSS_PRIMARY_AUTHOR ||
+           order == CSS_PRIMARY_AUTHOR_IMPORTANT) &&
+           !rule->isSafe ()) {
+         MSG_WARN ("Ignoring unsafe author style that might reveal browsing history\n");
+         delete rule;
+      } else {
+         sheet[order].addRule (rule);
+      }
    }
 }
diff --git a/src/css.hh b/src/css.hh
index 6f6cc75f..532acc01 100644
--- a/src/css.hh
+++ b/src/css.hh
@@ -297,11 +297,13 @@ class CssProperty {
 class CssPropertyList : public lout::misc::SimpleVector <CssProperty> {
    int refCount;
    bool ownerOfStrings;
+   bool safe;
 
    public:
       inline CssPropertyList(bool ownerOfStrings = false) :
                   lout::misc::SimpleVector <CssProperty> (1) {
          refCount = 0;
+         safe = true;
          this->ownerOfStrings = ownerOfStrings;
       };
       CssPropertyList(const CssPropertyList &p, bool deep = false);
@@ -310,6 +312,7 @@ class CssPropertyList : public lout::misc::SimpleVector <CssProperty> {
       void set (CssPropertyName name, CssValueType type,
                 CssPropertyValue value);
       void apply (CssPropertyList *props);
+      bool isSafe () { return safe; };
       void print ();
       inline void ref () { refCount++; }
       inline void unref () { if (--refCount == 0) delete this; }
@@ -385,6 +388,7 @@ class CssSelector {
          return match (dt, node, selectorList->size () - 1, COMB_NONE);
       };
       int specificity ();
+      bool checksPseudoClass ();
       void print ();
       inline void ref () { refCount++; }
       inline void unref () { if (--refCount == 0) delete this; }
@@ -408,6 +412,9 @@ class CssRule {
 
       void apply (CssPropertyList *props,
                   Doctree *docTree, const DoctreeNode *node);
+      inline bool isSafe () {
+         return !selector->checksPseudoClass () || props->isSafe ();
+      };
       inline int specificity () { return spec; };
       inline int position () { return pos; };
       void print ();