From 7b138b58c611093bfccda62e7b8677af81ccd1d5 Mon Sep 17 00:00:00 2001
From: Raymond Hill <rhill@raymondhill.net>
Date: Tue, 13 Feb 2024 15:09:38 -0500
Subject: [PATCH] Fix potential exfiltration of browsing history by a rogue
 list author through permissions=

As with `csp=` option, reporting capabilities need to be taken
into account with `permissions=` option.

Reference:
https://github.com/w3c/webappsec-permissions-policy/blob/main/reporting.md

This commit ensures that `permissions=` option using `report-to` are
marked as invalid.
---
 src/js/static-filtering-parser.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/js/static-filtering-parser.js b/src/js/static-filtering-parser.js
index ac735dcc41bf8..6110c4f7d1915 100644
--- a/src/js/static-filtering-parser.js
+++ b/src/js/static-filtering-parser.js
@@ -897,6 +897,7 @@ export class AstFilterParser {
         this.rePatternScriptletJsonArgs = /^\{.*\}$/;
         this.reGoodRegexToken = /[^\x01%0-9A-Za-z][%0-9A-Za-z]{7,}|[^\x01%0-9A-Za-z][%0-9A-Za-z]{1,6}[^\x01%0-9A-Za-z]/;
         this.reBadCSP = /(?:^|;)\s*report-(?:to|uri)\b/i;
+        this.reBadPP = /(?:^|;)\s*report-to\b/i;
         this.reNoopOption = /^_+$/;
         this.scriptletArgListParser = new ArgListParser(',');
     }
@@ -1400,7 +1401,11 @@ export class AstFilterParser {
                     realBad = this.isRegexPattern() === false;
                     break;
                 case NODE_TYPE_NET_OPTION_NAME_PERMISSIONS:
-                    realBad = modifierType !== 0 || (hasValue || isException) === false;
+                    realBad = modifierType !== 0 ||
+                        (hasValue || isException) === false ||
+                        this.reBadPP.test(
+                            this.getNetOptionValue(NODE_TYPE_NET_OPTION_NAME_PERMISSIONS)
+                        );
                     if ( realBad ) { break; }
                     modifierType = type;
                     break;