1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
(function() {
var secureJS = {
destroyPage: function() {
this.checkAndDestroy = function() {};
if (window.stop)
window.stop();
//TODO: Figure out how to halt all existing concurrent and async scripts, and clear all timers.
alert("This is a nasty alert box. Aren't JavaScript alerts so 1995? Yes, and so is plaintext HTTP.\n\nYou screwed up; your page isn't secure. Get it together. Fix things.");
window.location = "https://en.wikipedia.org/wiki/HTTP_Secure";
throw "Insecure site.";
},
checkPageProtocol: function() {
return window.location.protocol == "https:";
},
checkCollectionProtocol: function(collection, attribute) {
for (var i = 0; i < collection.length; ++i) {
var location = collection[i].getAttribute(attribute);
if (location == null)
continue;
// I actually have never read the URI RFC, so I'm sure there are special
// cases that really should be taken into account that I neglect here.
//TODO: Don't be a fool; do this properly.
var firstSlash = location.indexOf("/");
var firstDot = location.indexOf("/");
var protocolDelim = location.indexOf("://");
if (protocolDelim != -1 &&
(firstSlash == -1 || protocolDelim < firstSlash) &&
(firstDot == -1 || protocolDelim < firstDot) &&
location.indexOf("https") != 0)
return false;
}
return true;
},
isPageSecure: function() {
return this.checkPageProtocol() &&
this.checkCollectionProtocol(document.getElementsByTagName("script"), "src") &&
this.checkCollectionProtocol(document.getElementsByTagName("link"), "rel");
//TODO: What else is missing here? Embeds, objects, applets, probably a bunch of other info leaks.
// It might be nice to check that document.cookie is empty too, to check enforcement of httpOnly flag.
},
checkAndDestroy: function() {
if (!this.isPageSecure())
this.destroyPage();
}
};
document.addEventListener("DOMContentLoaded", function() { secureJS.checkAndDestroy(); }, true);
document.addEventListener("DOMNodeInserted", function() { secureJS.checkAndDestroy(); }, true);
document.addEventListener("DOMNodeInsertedIntoDocument", function() { secureJS.checkAndDestroy(); }, true);
document.addEventListener("DOMAttrModified", function() { secureJS.checkAndDestroy(); }, true);
document.addEventListener("DOMElementNameChanged", function() { secureJS.checkAndDestroy(); }, true);
document.addEventListener("DOMContentLoaded", function() { secureJS.checkAndDestroy(); }, true);
var timer = function() {
secureJS.checkAndDestroy();
//TODO: 500ms? Good? Bad? Polling this much or even at all isn't strictly neccessary,
// because of DOMNodeInserted, but just to be safe... What do you think?
window.setTimeout(timer, 500);
};
timer();
})();
|
