Script's body is missing
dolav opened this issue ยท 7 comments
Hey guys,
First, thank you for this great project.
Second, after unlock() is executed, the scripts are back without the body.
<script ...> body </script>Here you are creating a new element instead just using the old one, and if so, why not copy all the attributes including the body of the scripts.
Third, are you consider adding a mechanism of white-list for domains I want to allow anytime? This way websites will be able to allow their own cookies and block all the others (without list them) until unlock it.
Thanks
Thanks for the kind words! :)
I'll get a definitive answer for you eventually (many people on vacation right now!), but I think there's a misunderstanding here about the script blocking for inline scripts.
If you have a script tag with an external source:
<script src='smt.js'></script> you are advised to use add type='javascript/blocked' to get better support (including blocking loading).
However if you have an inline script that itself creates a new script tag via createElement, you don't need to do anything to have yett block it for you, since yett monkeypatches document.createElement.
It sounds like you added the type='javascript/blocked' onto your inline script tag, causing the bug you described, am I right? Something like:
<script type='javascript/blocked'>
var myScriptBody = true
document.createElement = ....
</script>If that's the case, just remove the type='javascript/blocked' from such inline scripts, and your bug should go away.
If you have a different bug, please let us know!
For your third point - a white-list - I think it could be a good idea. Can you open a separate issue for that please?
Thanks for your answer.
Let me clarify a bit.
For inline scripts - <script> ... some js code ... </script> without a type attribute, yett will remove them from the DOM as part of the initial step.
disableBlocker = false && !type if my blacklistedPatterns is blocking blank src, this will block all my inline scripts and remove them from the DOM.
The problem is after adding those inline scripts back. yett create a new element and copy the src and the type from the original script but not the body (children element) of the script.
Therefore, this is the script I'm getting back - <script src=(unknown) type=application/javascript></script>
- why yett is handling blank source scripts? Why not skip them?
const needsToBeBlacklisted = (src, type) => (
!disableBlocker &&
src &&
(!type || type !== TYPE_ATTRIBUTE) &&
blacklistedPatterns.some(pattern => pattern.test(src))
)- If yett remove the blank src script, why it doesn't copy the body back when creating the new element?
Thank you for your patience ๐จโ๐
- why yett is handling blank source scripts? Why not skip them?
I agree with you, this sounds like a bug. Like I said we have vacation times here right now, but we'll fix this as soon as we have a moment. If you think you see how to fix it yourself, feel free to open a PR with a fix!
Hi @dolav,
First, thank you for this great project
Thanks a lot! ๐
why yett is handling blank source scripts? Why not skip them?
Actually, if you have a blank blacklist then I think that the issue lies there. The blacklist is a regexp, so if you want to block every source then you could try setting the yett blacklist to something like '.+'. You should not set the blacklist to ''.
Here you are creating a new element instead just using the old one, and if so, why not copy all the attributes including the body of the scripts
Yett can not reuse already added scripts tags back because it causes issues with some browsers that won't download and execute the script tag if it's not a fresh copy. Also it makes no sense to block inline scripts whatsoever, so yett does not add back the script tag body.
As @pocketjoso said I am on vacation right now so I cannot reply more clearly about it (I only have my phone), but as soon as I come back I will consider adding the whitelist feature that should make handling blocking everything on the page except your own scripts easier ๐!
Hi @elbywan,
Thanks for your answer.
Basically I'm trying to use the blacklist regexp as "whitelist", means, I'm trying to block everything that is not x, y, z.
This is why I faced the issue with the inline scripts. It's make more sense if yett could just skip them.
Thanks again and enjoy your vacation!!! ๐น
Fixed with the v0.1.4 release.