Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove CallJavascriptFunctionUnsafe from brave://adblock webui #8716

Merged
merged 1 commit into from
May 10, 2021
Merged

remove CallJavascriptFunctionUnsafe from brave://adblock webui #8716

merged 1 commit into from
May 10, 2021

Conversation

antonok-edm
Copy link
Collaborator

Resolves brave/brave-browser#15638

Submitter Checklist:

  • I confirm that no security/privacy review is needed, or that I have requested one
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally: npm run test -- brave_browser_tests, npm run test -- brave_unit_tests, npm run lint, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

@antonok-edm antonok-edm self-assigned this May 5, 2021
kkuehlz
kkuehlz approved these changes May 7, 2021
View reviewed changes
Copy link
Contributor

@kkuehlz kkuehlz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I have found several examples in Chromium where they follow this exact pattern.

Obviously not expected in this PR, but it looks like this method is a wrapper around a dispatcher.

brave-core/components/brave_adblock_ui/brave_adblock.tsx

Lines 41 to 44 in f17c1fb

function onGetCustomFilters (customFilters: string) {
const actions = bindActionCreators(adblockActions, store.dispatch.bind(store))
actions.onGetCustomFilters(customFilters)
}

A future improvement would be registering the webUIListenerMap with the JS callback, and notify it using WebUIMessageHandler::FireWebUIListener (this is what the safebrowsing example I linked does. More info here). It could also promisified and then C++ can resolve it with ResolveJavascriptCallback(..).

@antonok-edm antonok-edm merged commit b81f3d4 into master May 10, 2021
@antonok-edm antonok-edm deleted the remove-brave-adblock-call-js-unsafe branch May 10, 2021 23:37
@antonok-edm antonok-edm added this to the 1.26.x - Nightly milestone May 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kkuehlz kkuehlz kkuehlz approved these changes

@bridiver bridiver bridiver approved these changes

@emerick emerick Awaiting requested review from emerick

Assignees

@antonok-edm antonok-edm

Labels
None yet
Projects
None yet
Milestone
1.26.x - Release
Development

Successfully merging this pull request may close these issues.

Fix unsafe Javascript calls in brave://adblock webui
3 participants
@antonok-edm @bridiver @kkuehlz