GDPR13A (OpenUserJS#1509)

Martii · web-flow · commit 56125e71e9f0 · 2018-07-24T06:39:14.000-06:00
* Fix bug on Issue page when isSameOrigin ... no need to display * Fix bug *(A)* on relative library ... post OpenUserJS#502 * Fill in some other areas with this migration * Reuse some of the code where applicable * Set some more DOM client-side to experimental `referrerpolicy' * Some STYLEGUIDE.md reconformance ... break after operators NOTES: * Test patterns for relative libs *(needs GM4 testing but pre passes)* ``` js // These typically should show // @require http://localhost:8080/src/libs/Marti/GM_setStyle.js // @require //localhost:8080/src/libs/Marti/GM_setStyle.js // @require /src/libs/Marti/GM_setStyle.js // These typically should not show // @require localhost:8080/src/libs/Marti/GM_setStyle.js // @require Marti/GM_setStyle.js // @require GM_setStyle.js ``` * One more legacy URL API to migrate to WHATWG API ... need some of this PR in the wild for live tests * Still needs possible local pro changes ... that is probably system wide and "big"... so will isolate Post OpenUserJS#1508
diff --git a/app.js b/app.js
@@ -168,6 +168,7 @@ var sessionStore = new MongoStore({
 
 // See https://hacks.mozilla.org/2013/01/building-a-node-js-server-that-wont-melt-a-node-js-holiday-season-part-5/
 var ensureIntegerOrNull = require('./libs/helpers').ensureIntegerOrNull;
+var isSameOrigin = require('./libs/helpers').isSameOrigin;
 
 var maxLag = ensureIntegerOrNull(process.env.BUSY_MAXLAG) || 70;
 var pollInterval = ensureIntegerOrNull(process.env.BUSY_INTERVAL) || 500;
@@ -202,8 +203,7 @@ app.use(function (aReq, aRes, aNext) {
   aRes.oujsOptions.DNT = aReq.get('DNT') === '1' || aReq.get('DNT') === 'yes' ? true : false;
 
   // Middleware for GDPR Notice
-  aRes.oujsOptions.hideReminderGDPR =
-    /^https?:\/\/(?:localhost:8080|openuserjs\.org)/.test(referer);
+  aRes.oujsOptions.hideReminderGDPR = isSameOrigin(referer);
 
   //
   if (
diff --git a/controllers/script.js b/controllers/script.js
@@ -27,6 +27,8 @@ var getFlaggedListForContent = require('./flag').getFlaggedListForContent;
 //--- Library inclusions
 // var scriptLib = require('../libs/script');
 
+var isSameOrigin = require('../libs/helpers').isSameOrigin;
+
 var flagLib = require('../libs/flag');
 var removeLib = require('../libs/remove');
 
@@ -124,8 +126,7 @@ var getScriptPageTasks = function (aOptions) {
         aOptions.script.homepages.unshift({
           url: aElement.value,
           text: decode(aElement.value),
-          hasNoFollow: !/^(?:https?:\/\/)?openuserjs\.org\//i.
-            test(aElement.value)
+          isSameOrigin: isSameOrigin(aElement.value)
         });
 
       }
diff --git a/controllers/scriptStorage.js b/controllers/scriptStorage.js
@@ -12,7 +12,6 @@ var statusError = require('../libs/debug').statusError;
 var fs = require('fs');
 var util = require('util');
 var _ = require('underscore');
-var URL = require('url');
 var crypto = require('crypto');
 var request = require('request');
 var stream = require('stream');
@@ -44,6 +43,9 @@ var Discussion = require('../models/discussion').Discussion;
 //--- Library inclusions
 // var scriptStorageLib = require('../libs/scriptStorage');
 
+var patternHasSameOrigin = require('../libs/helpers').patternHasSameOrigin;
+var patternMaybeSameOrigin = require('../libs/helpers').patternMaybeSameOrigin;
+
 var ensureIntegerOrNull = require('../libs/helpers').ensureIntegerOrNull;
 var RepoManager = require('../libs/repoManager');
 
@@ -600,13 +602,15 @@ exports.sendScript = function (aReq, aRes, aNext) {
     let updateUtf = null;
 
     let matches = null;
-    let rAnyLocalMetaUrl = new RegExp('^https?://(?:openuserjs\.org|oujs\.org' +
-      (isDev ? '|localhost:' + (process.env.PORT || 8080) : '') +
-        ')/(?:meta|install|src/scripts)/(.+?)/(.+?)\.meta\.js$');
+    let rAnyLocalMetaUrl = new RegExp(
+      '^' + patternHasSameOrigin +
+        '/(?:meta|install|src/scripts)/(.+?)/(.+?)\.meta\.js$'
+    );
     let hasAlternateLocalUpdateURL = false;
 
-    let rAnyLocalHost =  new RegExp('^(?:openuserjs\.org|oujs\.org' +
-      (isDev ? '|localhost:' + (process.env.PORT || 8080) : '') + ')');
+    let rSameOrigin =  new RegExp(
+      '^' + patternHasSameOrigin
+    );
 
     var lastModified = null;
     var eTag = null;
@@ -648,8 +652,8 @@ exports.sendScript = function (aReq, aRes, aNext) {
           }
         } else {
           // Allow offsite checks
-          updateURL = URL.parse(updateURL);
-          if (rAnyLocalHost.test(updateURL.host)) {
+          updateURL = new URL(updateURL);
+          if (rSameOrigin.test(updateURL.origin)) {
             hasAlternateLocalUpdateURL = true;
           }
         }
@@ -1640,8 +1644,9 @@ exports.storeScript = function (aUser, aMeta, aBuf, aUpdate, aCallback) {
     function (aInnerCallback) {
       // `@downloadURL` validations
       var downloadURL = null;
-      var rAnyLocalHost =  new RegExp('^(?:openuserjs\.org|oujs\.org' +
-        (isDev ? '|localhost:' + (process.env.PORT || 8080) : '') + ')');
+      var rSameOrigin =  new RegExp(
+        '^' + patternHasSameOrigin
+      );
 
       downloadURL = findMeta(aMeta, 'UserScript.downloadURL.0.value');
       if (downloadURL) {
@@ -1655,10 +1660,10 @@ exports.storeScript = function (aUser, aMeta, aBuf, aUpdate, aCallback) {
           return;
         }
 
-        downloadURL = URL.parse(downloadURL);
+        downloadURL = new URL(downloadURL);
 
         // Shouldn't install a userscript with a downloadURL of non-Userscript-source
-        if (rAnyLocalHost.test(downloadURL.host) &&
+        if (rSameOrigin.test(downloadURL.origin) &&
           !/^\/(?:install|src\/scripts)\//.test(downloadURL.pathname))
         {
           aInnerCallback(new statusError({
@@ -1669,7 +1674,7 @@ exports.storeScript = function (aUser, aMeta, aBuf, aUpdate, aCallback) {
         }
 
         // Shouldn't install a userscript with a downloadURL of source .meta.js
-        if (rAnyLocalHost.test(downloadURL.host) &&
+        if (rSameOrigin.test(downloadURL.origin) &&
           /^\/(?:install|src\/scripts)\//.test(downloadURL.pathname) &&
             /\.meta\.js$/.test(downloadURL.pathname))
         {
@@ -1719,9 +1724,8 @@ exports.storeScript = function (aUser, aMeta, aBuf, aUpdate, aCallback) {
     var requires = null;
     var match = null;
     var rLibrary = new RegExp(
-      '^(?:(?:(?:https?:)?\/\/' +
-        (isPro ? 'openuserjs\.org' : 'localhost:' + (process.env.PORT || 8080)) +
-          ')?\/(?:libs\/src|src\/libs)\/)?(.*?)([^\/]*\.js)$', '');
+      '^' + patternMaybeSameOrigin +
+        '/src/libs/(.*?)([^/]*\.js)$');
     var libraries = [];
 
 
diff --git a/controllers/user.js b/controllers/user.js
@@ -2082,8 +2082,8 @@ exports.editScript = function (aReq, aRes, aNext) {
         } else {
           if (authedUser) {
             sinceDate = new Date(script._sinceISOFormat);
-            script.copyrightPrimary = sinceDate.getFullYear() + ', ' + authedUser.name
-              + ' (https://openuserjs.org' + authedUser.userPageUrl + ')';
+            script.copyrightPrimary = sinceDate.getFullYear() + ', ' + authedUser.name +
+              ' (' + helpers.baseOrigin + authedUser.userPageUrl + ')';
           }
         }
 
@@ -2095,11 +2095,11 @@ exports.editScript = function (aReq, aRes, aNext) {
           script.scriptInstallPageUrl;
         script.scriptPermalinkInstallPageXUrl = 'https://' + aReq.get('host') +
           script.scriptInstallPageXUrl;
-        script.scriptRawPageUrl = '/src/' + (isLib ? 'libs' : 'scripts') + '/'
-          + scriptStorage.getInstallNameBase(aReq, { encoding: 'uri' }) +
+        script.scriptRawPageUrl = '/src/' + (isLib ? 'libs' : 'scripts') + '/' +
+          scriptStorage.getInstallNameBase(aReq, { encoding: 'uri' }) +
             (isLib ? '.js#' : '.user.js#');
-        script.scriptRawPageXUrl = '/src/' + (isLib ? 'libs' : 'scripts') + '/'
-          + scriptStorage.getInstallNameBase(aReq, { encoding: 'uri' }) +
+        script.scriptRawPageXUrl = '/src/' + (isLib ? 'libs' : 'scripts') + '/' +
+          scriptStorage.getInstallNameBase(aReq, { encoding: 'uri' }) +
             (isLib ? '.min.js#' : '.min.user.js#');
         script.scriptPermalinkMetaPageUrl = 'https://' + aReq.get('host') +
           script.scriptMetaPageUrl;
@@ -2144,8 +2144,8 @@ exports.editScript = function (aReq, aRes, aNext) {
 
     if (authedUser) {
       nowDate = new Date();
-      options.script.copyrightPrimary = nowDate.getFullYear() + ', ' + authedUser.name
-        + ' (https://openuserjs.org' + authedUser.userPageUrl + ')';
+      options.script.copyrightPrimary = nowDate.getFullYear() + ', ' + authedUser.name +
+        ' (' + helpers.baseOrigin + authedUser.userPageUrl + ')';
     }
 
     options.script.scriptAcceptableOSILicense = [];
diff --git a/libs/helpers.js b/libs/helpers.js
@@ -149,7 +149,7 @@ exports.updateUrlQueryString = function (aBaseUrl, aDict) {
 };
 
 exports.isFQUrl = function (aString, aMailto, aDataImg) {
-  var URL = url.parse(aString);
+  var URL = url.parse(aString); // TODO: Convert to non-legacy
 
   var protocol = URL.protocol;
   var username = URL.username; // NOTE: BUG: in current *node*
@@ -205,22 +205,39 @@ exports.ensureIntegerOrNull = function (aEnvVar) {
   return aEnvVar;
 };
 
+//
+exports.port = process.env.PORT || 8080;
+exports.securePort = process.env.SECURE_PORT || 8081;
+
+exports.baseOrigin = 'https://openuserjs.org/';
+
+// Absolute pattern and is combined for pro and dev
+exports.patternHasSameOrigin =
+  '(?:https?://openuserjs\.org(?::' + exports.securePort + ')?|http://(?:oujs\.org' +
+    (isDev ? '|localhost:' + exports.port : '' ) + '))';
+
+// Possible pattern and is split for pro vs. dev
+// NOTE: This re is quite sensitive to changes esp. with `|`
+exports.patternMaybeSameOrigin =
+  (isPro
+    ? '(?:(?:https?:)?(?://openuserjs\.org(?::' + exports.securePort +
+      ')?)?|(?:http:)?(?//:oujs\.org)?)'
+    : '(?:http:)?(?://localhost:' + exports.port + ')?')
+
 exports.isSameOrigin = function (aUrl) {
   var url = null;
-  var port = process.env.PORT || 8080;
-  var securePort = process.env.SECURE_PORT || 8081;
-  var rOrigin = new RegExp(
-    '^(https://openuserjs\.org(:' + securePort + ')?|http://(oujs\.org|localhost:' + port + '))$'
-  );
   var sameOrigin = false;
+  var rIsSameOrigin = new RegExp('^' + exports.patternHasSameOrigin + '$', 'i');
 
-  try {
-    url = new URL(aUrl, 'https://openuserjs.org/');
+  if (aUrl) {
+    try {
+      url = new URL(aUrl, exports.baseOrigin);
 
-    if (rOrigin.test(url.origin)) {
-      sameOrigin = true;
+      if (rIsSameOrigin.test(url.origin)) {
+        sameOrigin = true;
+      }
+    } catch (aE) {
     }
-  } catch (aE) {
   }
 
   return sameOrigin;
diff --git a/libs/modelParser.js b/libs/modelParser.js
@@ -27,6 +27,9 @@ var cleanFilename = require('../libs/helpers').cleanFilename;
 var encode = require('../libs/helpers').encode;
 var decode = require('../libs/helpers').decode;
 var isFQUrl = require('../libs/helpers').isFQUrl;
+var isSameOrigin = require('../libs/helpers').isSameOrigin;
+var patternHasSameOrigin = require('../libs/helpers').patternHasSameOrigin;
+
 
 //--- Configuration inclusions
 var userRoles = require('../models/userRoles.json');
@@ -219,9 +222,10 @@ var parseScript = function (aScript) {
 
   var downloadURL = null;
   var downloadUtf = null;
-  var rAnyLocalScriptUrl = new RegExp('^https?://(?:openuserjs\.org|oujs\.org' +
-    (isDev ? '|localhost:' + (process.env.PORT || 8080) : '') +
-      ')/(?:install|src/scripts)/(.+?)/(.+?)((?:\.min)?(?:\.user)?\.js)$');
+  var rAnyLocalScriptUrl = new RegExp(
+    '^' + patternHasSameOrigin +
+      '/(?:install|src/scripts)/(.+?)/(.+?)((?:\.min)?(?:\.user)?\.js)$'
+  );
 
   // Temporaries
 
@@ -286,7 +290,7 @@ var parseScript = function (aScript) {
       script.support = [{
         url: supportURL,
         text: decode(supportURL),
-        hasNoFollow: !/^(?:https?:\/\/)?openuserjs\.org/i.test(supportURL)
+        isSameOrigin: isSameOrigin(supportURL)
       }];
 
     }
diff --git a/views/includes/scripts/lazyIconScript.html b/views/includes/scripts/lazyIconScript.html
@@ -48,6 +48,7 @@
         img.classList.add('fade-icon');
         img.classList.add('translucent-icon');
 
+        img.referrerPolicy = 'same-origin';
         img.src = dataIconSrc;
 
         container.appendChild(img);
diff --git a/views/pages/scriptIssueListPage.html b/views/pages/scriptIssueListPage.html
@@ -23,11 +23,15 @@
           </a>
         </div>
         {{#script.hasSupport}}
-        <div class="alert alert-success alert-dismissible small" role="alert">
-          <button type="button" class="close" data-dismiss="alert"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
-          {{#script.support}}<p><i class="fa fa-fw fa-support"></i> <b>Support:</b> <a href="{{{url}}}"{{#hasNoFollow}} rel="nofollow"{{/hasNoFollow}}>{{text}}</a></p>{{/script.support}}
-          The script author requests that you use their preferred primary support method when filing an issue. Please consider using that for regular issues.
-        </div>
+        {{#script.support}}
+          {{^isSameOrigin}}
+          <div class="alert alert-success alert-dismissible small" role="alert">
+            <button type="button" class="close" data-dismiss="alert"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
+              <p><i class="fa fa-fw fa-support"></i> <b>Support:</b> <a href="{{{url}}}" rel="external noreferrer noopener nofollow" referrerpolicy="same-origin">{{text}}</a></p>
+            The script author requests that you use their preferred primary support method when filing an issue. Please consider using that for regular issues.
+          </div>
+          {{/isSameOrigin}}
+        {{/script.support}}
         {{/script.hasSupport}}
         {{#paginationRendered}}
         <div class="text-center collapse">
diff --git a/views/pages/scriptPage.html b/views/pages/scriptPage.html
@@ -39,11 +39,11 @@
                   </ul>
                 </span>
               {{/script.hasGroups}}
-              {{#script.homepages}}<p><i class="fa fa-fw fa-home"></i> <b>Homepage:</b> <a href="{{{url}}}"{{#hasNoFollow}} rel="nofollow"{{/hasNoFollow}}>{{text}}</a></p>{{/script.homepages}}
-              {{#script.support}}<p><i class="fa fa-fw fa-support"></i> <b>Support:</b> <a href="{{{url}}}"{{#hasNoFollow}} rel="nofollow"{{/hasNoFollow}}>{{text}}</a></p>{{/script.support}}
+              {{#script.homepages}}<p><i class="fa fa-fw fa-home"></i> <b>Homepage:</b> <a href="{{{url}}}"{{^isSameOrigin}} rel="external noreferrer noopener nofollow" referrerpolicy="same-origin"{{/isSameOrigin}}>{{text}}</a></p>{{/script.homepages}}
+              {{#script.support}}<p><i class="fa fa-fw fa-support"></i> <b>Support:</b> <a href="{{{url}}}"{{^isSameOrigin}} rel="external noreferrer noopener nofollow" referrerpolicy="same-origin"{{/isSameOrigin}}>{{text}}</a></p>{{/script.support}}
               {{#script.copyrights}}<p><i class="fa fa-fw fa-copyright"></i> <b>Copyright:</b> {{name}}</p>{{/script.copyrights}}
-              {{#script.licenseConflict}}<p><i class="fa fa-fw fa-legal"></i> <b>License:</b> {{#script.licenseParadox}}<s>{{/script.licenseParadox}}<a rel="nofollow" href="https://spdx.org/licenses/MIT.html">MIT</a>; <a rel="nofollow" href="https://opensource.org/licenses/MIT">https://opensource.org/licenses/MIT</a>{{#script.licenseParadox}}</s>{{/script.licenseParadox}}</p>{{/script.licenseConflict}}
-              {{#script.licenses}}<p><i class="fa fa-fw fa-balance-scale"></i> <b>License:</b> {{#name}}{{name}}{{/name}}{{^name}}<a rel="nofollow" href="https://spdx.org/licenses/{{spdx}}.html">{{spdx}}</a>{{#url}}; <a rel="nofollow" href="{{url}}">{{url}}</a>{{/url}}{{/name}}</p>{{/script.licenses}}
+              {{#script.licenseConflict}}<p><i class="fa fa-fw fa-legal"></i> <b>License:</b> {{#script.licenseParadox}}<s>{{/script.licenseParadox}}<a rel="external noreferrer noopener nofollow" referrerpolicy="same-origin" href="https://spdx.org/licenses/MIT.html">MIT</a>; <a rel="external noreferrer noopener nofollow" referrerpolicy="same-origin" href="https://opensource.org/licenses/MIT">https://opensource.org/licenses/MIT</a>{{#script.licenseParadox}}</s>{{/script.licenseParadox}}</p>{{/script.licenseConflict}}
+              {{#script.licenses}}<p><i class="fa fa-fw fa-balance-scale"></i> <b>License:</b> {{#name}}{{name}}{{/name}}{{^name}}<a rel="external noreferrer noopener nofollow" referrerpolicy="same-origin" href="https://spdx.org/licenses/{{spdx}}.html">{{spdx}}</a>{{#url}}; <a rel="external noreferrer noopener nofollow" referrerpolicy="same-origin" href="{{url}}">{{url}}</a>{{/url}}{{/name}}</p>{{/script.licenses}}
               {{#hasCollab}}
               <p><i class="fa fa-fw fa-user"></i> <b>Collaborator:</b> {{#script.collaborators}} <span class="label label-info"><a href="/users/{{{url}}}">{{text}}</a></span> {{/script.collaborators}}</p>
               {{/hasCollab}}
