Merge pull request #679 from mozilla/663-load-external-scripts-from-f…

…acebook Allow external scripts to be loaded if frame ancestor is valid Facebook domain
mozilla · Sep 24, 2020 · 71c7865 · 71c7865
2 parents ec27a42 + b226ec0
commit 71c7865
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "contain-facebook",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "Facebook Container isolates your Facebook activity from the rest of your web activity in order to prevent Facebook from tracking you outside of the Facebook website via third party cookies. ",
   "main": "background.js",
   "scripts": {

diff --git a/src/background.js b/src/background.js
@@ -289,6 +289,23 @@ function getRootDomain(url) {
 
 }
 
+function topFrameUrlIsFacebookApps(frameAncestorsArray) {
+  if (!frameAncestorsArray || frameAncestorsArray.length === 0) {
+    // No frame ancestor return false
+    return false;
+  }
+
+  const appsFacebookURL = "https://apps.facebook.com";
+  const frameAncestorsURL = frameAncestorsArray[0].url;
+
+  if (!frameAncestorsURL.startsWith(appsFacebookURL)) {
+    // Only allow frame ancestors that originate from apps.facebook.com
+    return false;
+  }
+
+  return frameAncestorsURL;
+}
+
 function isFacebookURL (url) {
   const parsedUrl = new URL(url);
   for (let facebookHostRE of facebookHostREs) {
@@ -506,19 +523,29 @@ async function blockFacebookSubResources (requestDetails) {
   }
 
   const urlIsFacebook = isFacebookURL(requestDetails.url);
-  const originUrlIsFacebook = isFacebookURL(requestDetails.originUrl);
-
+  // If this request isn't going to Facebook, let's return {} ASAP
   if (!urlIsFacebook) {
     return {};
   }
 
+  const originUrlIsFacebook = isFacebookURL(requestDetails.originUrl);
+
   if (originUrlIsFacebook) {
     const message = {msg: "facebook-domain"};
     // Send the message to the content_script
     browser.tabs.sendMessage(requestDetails.tabId, message);
     return {};
   }
 
+  const frameAncestorUrlIsFacebookApps = topFrameUrlIsFacebookApps(requestDetails.frameAncestors);
+
+  if (frameAncestorUrlIsFacebookApps) {
+    const message = {msg: "facebook-domain"};
+    // Send the message to the content_script
+    browser.tabs.sendMessage(requestDetails.tabId, message);
+    return {};
+  }
+
   const hasBeenAddedToFacebookContainer = await isAddedToFacebookContainer(requestDetails.originUrl);
 
   if ( urlIsFacebook && !originUrlIsFacebook ) {

diff --git a/src/manifest.json b/src/manifest.json
@@ -1,7 +1,7 @@
 {
     "manifest_version": 2,
     "name": "Facebook Container",
-    "version": "2.1.1",
+    "version": "2.2.0",
 
     "incognito": "not_allowed",