Fix incorrect uses of default policy

aaronkollasch · aaronkollasch · commit 29b2f7be1ecb · 2026-04-09T22:35:28.000-04:00
when a container-specific policy from the contextStore should be used
instead
diff --git a/src/bg/RequestGuard.js b/src/bg/RequestGuard.js
@@ -390,7 +390,7 @@
 
         const wantsTemp = forcedTemp || checked.includes("temp");
         if (!contextMatch) {
-          const isDefault = perms === ns.policy.DEFAULT;
+          const isDefault = perms === policy.DEFAULT;
           perms = perms.clone();
           if (isDefault) perms.temp = wantsTemp;
           policy.set(key, perms);
diff --git a/src/bg/TabGuard.js b/src/bg/TabGuard.js
@@ -184,8 +184,10 @@ var TabGuard = (() => {
 
       // we suspect tabs which 1) have not been removed/discarded, 2) are restricted by policy, 3) can run JavaScript
       let suspiciousTabs = [...ties].map(TabCache.get).filter(
-        tab => tab && !tab.discarded && ns.isEnforced(tab.id) &&
-        (!(tab._isExplicitOrigin = tab._isExplicitOrigin || /^(?:https?|ftps?|file):/.test(tab.url)) || ns.policy.can(tab.url, "script"))
+        tab => tab && !tab.discarded && ns.isEnforced(tab.id) && (
+          !(tab._isExplicitOrigin = tab._isExplicitOrigin || /^(?:https?|ftps?|file):/.test(tab.url)) ||
+          ns.getPolicy(tab.cookieStoreId).can(tab.url, "script")
+        )
       );
 
       return suspiciousTabs.length > 0 && (async () => {
@@ -222,7 +224,7 @@ var TabGuard = (() => {
             }
             if (tab.url !== "about:blank") {
               debug(`Real origin for ${tab._externalUrl} (tab ${tab.id}) is ${tab.url}.`);
-              if (!ns.policy.can(tab.url, "script")) return;
+              if (!ns.getPolicy(tab.cookieStoreId).can(tab.url, "script")) return;
             }
           }
           if (!tab._contentType) {
diff --git a/src/bg/main.js b/src/bg/main.js
@@ -339,7 +339,10 @@
       return tab?.url || documentUrl || url;
     },
     requestCan(request, capability) {
-      return !this.isEnforced(request.tabId) || this.policy.can(request.url, capability, this.policyContext(request));
+      return (
+        !this.isEnforced(request.tabId) ||
+        ns.getPolicy(request.cookieStoreId).can(request.url, capability, this.policyContext(request))
+      );
     },
 
     getPolicy(cookieStoreId){
diff --git a/src/ui/ui.js b/src/ui/ui.js
@@ -1139,7 +1139,7 @@ var UI = (() => {
     }
 
     _customOrAuto(row) {
-      const { policy } = UI;
+      const policy = this.policy;
       const { perms, contextMatch, siteMatch } = row;
       const isAuto = policy.autoAllowTop && perms.temp &&
           contextMatch == siteMatch &&
@@ -1363,7 +1363,7 @@ var UI = (() => {
               w.title = title;
               w.textContent &&= label;
             }
-            row._customPerms = perms = UI.policy.cascade(this.policy.DEFAULT, this.mainUrl, {permissions: true});
+            row._customPerms = perms = this.policy.cascade(this.policy.DEFAULT, this.mainUrl, {permissions: true});
           }
           preset.classList.toggle("canScript", perms.capabilities.has("script"));
         }

Original file line number	Diff line number	Diff line change
`@@ -184,8 +184,10 @@ var TabGuard = (() => {`
`184`	`184`
`185`	`185`	`// we suspect tabs which 1) have not been removed/discarded, 2) are restricted by policy, 3) can run JavaScript`
`186`	`186`	`let suspiciousTabs = [...ties].map(TabCache.get).filter(`
`187`		`- tab => tab && !tab.discarded && ns.isEnforced(tab.id) &&`
`188`		`- (!(tab._isExplicitOrigin = tab._isExplicitOrigin \|\| /^(?:https?\|ftps?\|file):/.test(tab.url)) \|\| ns.policy.can(tab.url, "script"))`
	`187`	`+ tab => tab && !tab.discarded && ns.isEnforced(tab.id) && (`
	`188`	`+ !(tab._isExplicitOrigin = tab._isExplicitOrigin \|\| /^(?:https?\|ftps?\|file):/.test(tab.url)) \|\|`
	`189`	`+ ns.getPolicy(tab.cookieStoreId).can(tab.url, "script")`
	`190`	`+ )`
`189`	`191`	`);`
`190`	`192`
`191`	`193`	`return suspiciousTabs.length > 0 && (async () => {`
`@@ -222,7 +224,7 @@ var TabGuard = (() => {`
`222`	`224`	`}`
`223`	`225`	`if (tab.url !== "about:blank") {`
`224`	`226`	debug(`Real origin for ${tab._externalUrl} (tab ${tab.id}) is ${tab.url}.`);
`225`		`- if (!ns.policy.can(tab.url, "script")) return;`
	`227`	`+ if (!ns.getPolicy(tab.cookieStoreId).can(tab.url, "script")) return;`
`226`	`228`	`}`
`227`	`229`	`}`
`228`	`230`	`if (!tab._contentType) {`
Original file line number	Diff line number	Diff line change
`@@ -1139,7 +1139,7 @@ var UI = (() => {`
`1139`	`1139`	`}`
`1140`	`1140`
`1141`	`1141`	`_customOrAuto(row) {`
`1142`		`- const { policy } = UI;`
	`1142`	`+ const policy = this.policy;`
`1143`	`1143`	`const { perms, contextMatch, siteMatch } = row;`
`1144`	`1144`	`const isAuto = policy.autoAllowTop && perms.temp &&`
`1145`	`1145`	`contextMatch == siteMatch &&`
`@@ -1363,7 +1363,7 @@ var UI = (() => {`
`1363`	`1363`	`w.title = title;`
`1364`	`1364`	`w.textContent &&= label;`
`1365`	`1365`	`}`
`1366`		`- row._customPerms = perms = UI.policy.cascade(this.policy.DEFAULT, this.mainUrl, {permissions: true});`
	`1366`	`+ row._customPerms = perms = this.policy.cascade(this.policy.DEFAULT, this.mainUrl, {permissions: true});`
`1367`	`1367`	`}`
`1368`	`1368`	`preset.classList.toggle("canScript", perms.capabilities.has("script"));`
`1369`	`1369`	`}`