feat(Security): Blacklist certain pages, like the checkout, from bein…

…g injected into by plugins.
shdwmtr · Dec 1, 2024 · 54edc4c · 54edc4c
1 parent 1a8daf0
commit 54edc4c
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/core/hooks/web_load.cc b/src/core/hooks/web_load.cc
@@ -92,6 +92,11 @@ void WebkitHandler::GetResponseBody(nlohmann::basic_json<> message)
     });
 }
 
+// These URLS are blacklisted from being hooked, to prevent potential security issues.
+static const std::vector<std::string> g_blackListedUrls = {
+    "https://checkout\\.steampowered\\.com/.*"
+};
+
 const std::string WebkitHandler::PatchDocumentContents(std::string requestUrl, std::string original) 
 {
     std::string patched = original;
@@ -115,7 +120,7 @@ const std::string WebkitHandler::PatchDocumentContents(std::string requestUrl, s
         {
             if (!std::regex_match(requestUrl, hookItem.urlPattern)) 
                 continue;
-
+            
             std::filesystem::path relativePath = std::filesystem::relative(hookItem.path, SystemIO::GetSteamPath());
             scriptModules.push_back(fmt::format("{}{}", this->m_javaScriptVirtualUrl, relativePath.generic_string()));
         }
@@ -128,6 +133,10 @@ const std::string WebkitHandler::PatchDocumentContents(std::string requestUrl, s
 
     std::string shimContent = fmt::format("<script type=\"module\" id=\"millennium-injected\" defer>{}millennium_components({}, [{}])\n</script>\n{}", webkitPreloadModule, m_ipcPort, scriptModuleArray, cssShimContent);
 
+    for (const auto& blackListedUrl : g_blackListedUrls)        
+        if (std::regex_match(requestUrl, std::regex(blackListedUrl))) 
+            shimContent = cssShimContent; // Remove all queried JavaScript from the page. 
+
     if (patched.find("<head>") == std::string::npos) 
     {
         return patched;