brave · bsclifton · Aug 27, 2019 · Aug 20, 2019
diff --git a/browser/extensions/api/brave_shields_api_browsertest.cc b/browser/extensions/api/brave_shields_api_browsertest.cc
@@ -101,6 +101,28 @@ class BraveShieldsAPIBrowserTest : public InProcessBrowserTest {
         true);
   }
 
+  void AllowScriptOriginAndDataURLOnce(const std::string& origin,
+      const std::string& dataURL) {
+    scoped_refptr<BraveShieldsAllowScriptsOnceFunction> function(
+        new BraveShieldsAllowScriptsOnceFunction());
+    function->set_extension(extension().get());
+    function->set_has_callback(true);
+
+    const GURL url(embedded_test_server()->GetURL(origin, "/simple.js"));
+    const std::string allow_origin = url.GetOrigin().spec();
+
+    int tabId = extensions::ExtensionTabUtil::GetTabId(active_contents());
+    RunFunctionAndReturnSingleResult(
+        function.get(),
+        "[[\"" + allow_origin + "\",\"" + dataURL + "\"], " +
+        std::to_string(tabId) + "]",
+        browser());
+
+    // reload page with dataURL temporarily allowed
+    active_contents()->GetController().Reload(content::ReloadType::NORMAL,
+                                              true);
+  }
+
  private:
   HostContentSettingsMap* content_settings_;
   scoped_refptr<const extensions::Extension> extension_;
@@ -145,6 +167,28 @@ IN_PROC_BROWSER_TEST_F(BraveShieldsAPIBrowserTest, AllowScriptsOnce) {
     "All script loadings should be blocked after navigating away.";
 }
 
+IN_PROC_BROWSER_TEST_F(BraveShieldsAPIBrowserTest, AllowScriptsOnceDataURL) {
+  EXPECT_TRUE(
+      NavigateToURLUntilLoadStop("a.com", "/load_js_from_origins.html"));
+  EXPECT_EQ(active_contents()->GetAllFrames().size(), 4u)
+      << "All script loadings should not be blocked by default.";
+
+  BlockScripts();
+  EXPECT_TRUE(
+      NavigateToURLUntilLoadStop("a.com", "/load_js_from_origins.html"));
+  EXPECT_EQ(active_contents()->GetAllFrames().size(), 1u)
+      << "All script loadings should be blocked.";
+
+  AllowScriptOriginAndDataURLOnce("a.com",
+      "data:application/javascript;base64,"
+      "dmFyIGZyYW1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnaWZyYW1lJyk7CmRvY3VtZW"
+      "50LmJvZHkuYXBwZW5kQ2hpbGQoZnJhbWUpOw==");
+
+  EXPECT_TRUE(WaitForLoadStop(active_contents()));
+  EXPECT_EQ(active_contents()->GetAllFrames().size(), 3u)
+      << "Scripts from a.com and data URL should be temporarily allowed.";
+}
+
 IN_PROC_BROWSER_TEST_F(BraveShieldsAPIBrowserTest, AllowScriptsOnceIframe) {
   BlockScripts();
 

diff --git a/components/brave_extension/extension/brave_extension/helpers/noScriptUtils.ts b/components/brave_extension/extension/brave_extension/helpers/noScriptUtils.ts
@@ -9,7 +9,7 @@ import { NoScriptInfo, NoScriptEntry } from '../types/other/noScriptInfo'
 import { getLocale } from '../background/api/localeAPI'
 
 // Helpers
-import { getOrigin } from './urlUtils'
+import { getOrigin, isHttpOrHttps } from './urlUtils'
 
 /**
  * Filter resources by origin to be used for generating NoScriptInfo.
@@ -121,5 +121,5 @@ export const getBlockScriptText = (haveUserInteracted: boolean, isBlocked: boole
 export const getAllowedScriptsOrigins = (modifiedNoScriptInfo: NoScriptInfo): Array<string> => {
   const getAllowedOrigins = Object.entries(modifiedNoScriptInfo)
     .filter(url => url[1].actuallyBlocked === false)
-  return getAllowedOrigins.map(url => getOrigin(url[0]) + '/')
+  return getAllowedOrigins.map(url => isHttpOrHttps(url[0]) ? getOrigin(url[0]) + '/' : url[0])
 }
diff --git a/components/brave_extension/extension/brave_extension/helpers/urlUtils.ts b/components/brave_extension/extension/brave_extension/helpers/urlUtils.ts
@@ -19,13 +19,27 @@ export const hasPortNumber = (url: string) => {
  * Get the URL origin via Web API
  * @param {string} url - The URL to get the origin from
  */
-export const getOrigin = (url: string) => new window.URL(url).origin
+export const getOrigin = (url: string) => {
+  // for URLs such as blob:// and data:// that doesn't have a
+  // valid origin, return the full url.
+  if (!isHttpOrHttps(url)) {
+    return url
+  }
+  return new window.URL(url).origin
+}
 
 /**
  * Get the URL hostname via Web API
  * @param {string} url - The URL to get the origin from
  */
-export const getHostname = (url: string) => new window.URL(url).hostname
+export const getHostname = (url: string) => {
+  // for URLs such as blob:// and data:// that doesn't have a
+  // valid origin, return the full url.
+  if (!isHttpOrHttps(url)) {
+    return url
+  }
+  return new window.URL(url).hostname
+}
 
 /**
  * Strip http/https protocol

diff --git a/components/test/brave_extension/helpers/urlUtils_test.ts b/components/test/brave_extension/helpers/urlUtils_test.ts
@@ -61,12 +61,20 @@ describe('urlUtils test', () => {
       const url = 'https://pokemons-invading-tests-breaking-stuff.com/you-knew-that.js'
       expect(getOrigin(url)).toBe('https://pokemons-invading-tests-breaking-stuff.com')
     })
+    it('returns the full URL if origin is not valid', () => {
+      const url = 'data:application/javascript;base64,c3z4r4vgvst0n00b'
+      expect(getOrigin(url)).toBe('data:application/javascript;base64,c3z4r4vgvst0n00b')
+    })
   })
   describe('getHostname', () => {
     it('properly gets the hostname from an URL', () => {
       const url = 'https://pokemons-invading-tests-breaking-stuff.com/you-knew-that.js'
       expect(getHostname(url)).toBe('pokemons-invading-tests-breaking-stuff.com')
     })
+    it('returns the full URL if origin is not valid', () => {
+      const url = 'data:application/javascript;base64,c3z4r4vgvst0n00b'
+      expect(getHostname(url)).toBe('data:application/javascript;base64,c3z4r4vgvst0n00b')
+    })
   })
   describe('stripProtocolFromUrl', () => {
     it('properly strips out an HTTP protocol', () => {

diff --git a/renderer/brave_content_settings_observer.cc b/renderer/brave_content_settings_observer.cc
@@ -65,9 +65,12 @@ void BraveContentSettingsObserver::DidCommitProvisionalLoad(
 
 bool BraveContentSettingsObserver::IsScriptTemporilyAllowed(
     const GURL& script_url) {
-  // check if scripts from this origin are temporily allowed or not
-  return base::ContainsKey(temporarily_allowed_scripts_,
-      script_url.GetOrigin().spec());
+  // Check if scripts from this origin are temporily allowed or not.
+  // Also matches the full script URL to support data URL cases which we use
+  // the full URL to allow it.
+  return base::ContainsKey(
+      temporarily_allowed_scripts_, script_url.GetOrigin().spec()) ||
+    base::ContainsKey(temporarily_allowed_scripts_, script_url.spec());
 }
 
 void BraveContentSettingsObserver::BraveSpecificDidBlockJavaScript(

diff --git a/renderer/brave_content_settings_observer_browsertest.cc b/renderer/brave_content_settings_observer_browsertest.cc
@@ -737,7 +737,7 @@ IN_PROC_BROWSER_TEST_F(BraveContentSettingsObserverBrowserTest, AllowScripts) {
 
   EXPECT_TRUE(
       NavigateToURLUntilLoadStop("a.com", "/load_js_from_origins.html"));
-  EXPECT_EQ(contents()->GetAllFrames().size(), 3u);
+  EXPECT_EQ(contents()->GetAllFrames().size(), 4u);
 }
 
 IN_PROC_BROWSER_TEST_F(BraveContentSettingsObserverBrowserTest,
@@ -747,7 +747,7 @@ IN_PROC_BROWSER_TEST_F(BraveContentSettingsObserverBrowserTest,
 
   EXPECT_TRUE(
       NavigateToURLUntilLoadStop("a.com", "/load_js_from_origins.html"));
-  EXPECT_EQ(contents()->GetAllFrames().size(), 3u);
+  EXPECT_EQ(contents()->GetAllFrames().size(), 4u);
 }
 
 IN_PROC_BROWSER_TEST_F(BraveContentSettingsObserverBrowserTest,

diff --git a/test/data/load_js_from_origins.html b/test/data/load_js_from_origins.html
@@ -6,6 +6,7 @@
   See comments here <https://cs.chromium.org/chromium/src/content/public/test/browser_test_utils.h?l=434>
   for more details on how CrossSiteRedirector works.
 -->
+<script src="data:application/javascript;base64,dmFyIGZyYW1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnaWZyYW1lJyk7CmRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoZnJhbWUpOw=="></script>
 <script src="/cross-site/a.com/create_iframe.js"></script>
 <script src="/cross-site/b.com/create_iframe.js"></script>
 </body></html>