[PM-4791] Injected content scripts prevent proper XML file display and disrupt XML responses (#8214)

* [PM-4791] Injected content scripts prevent proper XML file display and disrupt XML responses * [PM-4791] Adjsuting reference for Fido2 script injection to ensure it only triggers on https protocol types
2024-09-30 04:28:19 +02:00 · 2024-03-22 13:45:33 -05:00 · 2024-03-22 13:45:33 -05:00 · 905d177873
commit 905d177873
parent 7df9c597af
3 changed files with 28 additions and 32 deletions
--- a/apps/browser/src/manifest.json
+++ b/apps/browser/src/manifest.json
@ -18,23 +18,24 @@
    {
      "all_frames": false,
      "js": ["content/content-message-handler.js"],
-      "matches": ["http://*/*", "https://*/*", "file:///*"],
+      "matches": ["*://*/*", "file:///*"],
+      "exclude_matches": ["*://*/*.xml*", "file:///*.xml*"],
      "run_at": "document_start"
    },
    {
      "all_frames": true,
-      "js": [
-        "content/trigger-autofill-script-injection.js",
-        "content/fido2/trigger-fido2-content-script-injection.js"
-      ],
-      "matches": ["http://*/*", "https://*/*", "file:///*"],
+      "js": ["content/fido2/trigger-fido2-content-script-injection.js"],
+      "matches": ["https://*/*"],
+      "exclude_matches": ["https://*/*.xml*"],
      "run_at": "document_start"
    },
    {
      "all_frames": true,
      "css": ["content/autofill.css"],
-      "matches": ["http://*/*", "https://*/*", "file:///*"],
-      "run_at": "document_end"
+      "js": ["content/trigger-autofill-script-injection.js"],
+      "matches": ["*://*/*", "file:///*"],
+      "exclude_matches": ["*://*/*.xml*", "file:///*.xml*"],
+      "run_at": "document_start"
    },
    {
      "all_frames": false,
@ -57,6 +58,7 @@
  },
  "permissions": [
    "<all_urls>",
+    "*://*/*",
    "tabs",
    "contextMenus",
    "storage",
@ -64,8 +66,6 @@
    "clipboardRead",
    "clipboardWrite",
    "idle",
-    "http://*/*",
-    "https://*/*",
    "webRequest",
    "webRequestBlocking"
  ],
--- a/apps/browser/src/manifest.v3.json
+++ b/apps/browser/src/manifest.v3.json
@ -19,16 +19,23 @@
    {
      "all_frames": false,
      "js": ["content/content-message-handler.js"],
-      "matches": ["http://*/*", "https://*/*", "file:///*"],
+      "matches": ["*://*/*", "file:///*"],
+      "exclude_matches": ["*://*/*.xml*", "file:///*.xml*"],
      "run_at": "document_start"
    },
    {
      "all_frames": true,
-      "js": [
-        "content/trigger-autofill-script-injection.js",
-        "content/fido2/trigger-fido2-content-script-injection.js"
-      ],
-      "matches": ["http://*/*", "https://*/*", "file:///*"],
+      "js": ["content/fido2/trigger-fido2-content-script-injection.js"],
+      "matches": ["https://*/*"],
+      "exclude_matches": ["https://*/*.xml*"],
+      "run_at": "document_start"
+    },
+    {
+      "all_frames": true,
+      "css": ["content/autofill.css"],
+      "js": ["content/trigger-autofill-script-injection.js", "content/misc-utils.js"],
+      "matches": ["*://*/*", "file:///*"],
+      "exclude_matches": ["*://*/*.xml*", "file:///*.xml*"],
      "run_at": "document_start"
    },
    {
@ -36,18 +43,6 @@
      "js": ["content/lp-fileless-importer.js"],
      "matches": ["https://lastpass.com/export.php"],
      "run_at": "document_start"
-    },
-    {
-      "all_frames": true,
-      "css": ["content/autofill.css"],
-      "matches": ["http://*/*", "https://*/*", "file:///*"],
-      "run_at": "document_end"
-    },
-    {
-      "all_frames": true,
-      "js": ["content/misc-utils.js"],
-      "matches": ["http://*/*", "https://*/*", "file:///*"],
-      "run_at": "document_end"
    }
  ],
  "background": {
@ -76,7 +71,7 @@
    "offscreen"
  ],
  "optional_permissions": ["nativeMessaging", "privacy"],
-  "host_permissions": ["http://*/*", "https://*/*"],
+  "host_permissions": ["*://*/*"],
  "content_security_policy": {
    "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'",
    "sandbox": "sandbox allow-scripts; script-src 'self'"
--- a/apps/browser/src/vault/fido2/content/content-script.ts
+++ b/apps/browser/src/vault/fido2/content/content-script.ts
@ -138,6 +138,7 @@ async function run() {
  });
 }

-// FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
-// eslint-disable-next-line @typescript-eslint/no-floating-promises
-run();
+// Only run the script if the document is an HTML document
+if (document.contentType === "text/html") {
+  void run();
+}