-
Notifications
You must be signed in to change notification settings - Fork 895
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Custom Scriptlet section in the settings page. #25999
Conversation
A Storybook has been deployed to preview UI for the latest push |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
strings
++ (with 1 change)
components/brave_shields/core/browser/ad_block_custom_resource_provider.cc
Outdated
Show resolved
Hide resolved
@boocmp how do we handle naming collisions? For instance, if a user tries to create a new scriptlet called |
We don't check. Default resources have priority over customs so if it's called 'brave-fix` it will be ignored.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
if (*mime == kAppJs) { | ||
// Resource is a scriptlet: | ||
if (!name->starts_with("brave-") || !name->ends_with(".js")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're going to enforce certain prefixes on user scriptlets, we should reserve brave-
for Brave's CRX-provided scriptlets, and give user-provided scriptlets a user-
prefix instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
makes sense to me too
…td::string::starts_with. Added test.
…gs method. Added test.
…lets in readonly mode.
[puLL-Merge] - brave/brave-core@25999 DescriptionThis PR adds support for custom scriptlets in the AdBlock feature of the Brave browser. It introduces a developer mode that allows users to add, edit, and remove custom scriptlets, which are small JavaScript snippets used for ad blocking and content modification. Possible Issues
Security Hotspots
ChangesChanges
sequenceDiagram
User->>BraveSettings: Enable AdBlock Developer Mode
BraveSettings->>AdBlockService: EnableDeveloperMode(true)
User->>BraveSettings: Add Custom Scriptlet
BraveSettings->>AdBlockCustomResourceProvider: AddResource(scriptlet)
AdBlockCustomResourceProvider->>Storage: Save Custom Scriptlet
AdBlockCustomResourceProvider->>AdBlockService: ReloadResourcesAndNotify()
AdBlockService->>AdBlockEngine: Update with new scriptlet
User->>Webpage: Visit
Webpage->>AdBlockEngine: Check for blocking
AdBlockEngine->>Webpage: Apply Custom Scriptlet
|
pref_change_registrar_->Add( | ||
prefs::kAdBlockDeveloperMode, | ||
base::BindRepeating(&AdBlockPrefService::OnDeveloperModeChanged, | ||
base::Unretained(this))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:
- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated
Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml
Cc @thypon @goodov @iefremov
Released in v1.75.99 |
Resolves brave/brave-browser#25586
Empty list
Add new scriplet
Add new scriplet with code
Scriptlet in the list and custom filter
Execution on the page
Dev mode toggle
dev_mode.mp4
Submitter Checklist:
QA/Yes
orQA/No
;release-notes/include
orrelease-notes/exclude
;OS/...
) to the associated issuenpm run test -- brave_browser_tests
,npm run test -- brave_unit_tests
wikinpm run presubmit
wiki,npm run gn_check
,npm run tslint
git rebase master
(if needed)Reviewer Checklist:
gn
After-merge Checklist:
changes has landed on
Test Plan:
Feature is not enabled
A:
brave://settings/shields/filters
https://example.com
B:
brave://settings/shields/filters
Developer mode
example.com##[href*="https://www.iana.org/domains/example"]
rule and click 'Save changes`https://example.com
check that theMote information...
link is not visibleC:
brave://settings/shields/filters
Custom scriptlets
in the settingsFeature is enabled ( brave-adblock-custom-scriptlets in flags)
brave://settings/shields/filters
Custom scriptlets
in the settingsDeveloper mode
(if not enabled yet)Add new scriptlet
, a dialog should appearmy-script
console.log('my-script')
user-my-script.js
custom scriptlet appears in the listexample.com##+js(user-my-script.js)
rule in CFT and save changeshttps://example.com
and go to DevTools console, check themy-script
message appearsuser-my-script.js
, change log message to another (e.g.changed
), clickSave
example.com
check the new message in consoleexample.com
and check message appearsDeveloper mode
example.com
, check there is no messages from scriptlets in the devtools console.Developer mode
and deleteuser-my-script.js
by clicking thetrash
iconexample.com
check there is no messages from scriptlets in the devtools console.