0.0.211 with Fix #211 Avoid bypassing ACL by dummy custom elements

README.md

@@ -6,6 +6,7 @@
 Thin Hook Preprocessor (experimental)
 
 ## Notes
+- **[Vulnerability Fix]** Since [0.0.211](https://github.com/t2ym/thin-hook/releases/tag/0.0.211) with [Fix #211](https://github.com/t2ym/thin-hook/issues/211), bypassing of ACL for global objects by dummy custom element definition is avoided. Prior to this version, ACL can be skipped by defining dummy custom elements by standard elements as constructor classes.
 - **[Vulnerability Fix]** Since [0.0.209](https://github.com/t2ym/thin-hook/releases/tag/0.0.209) with [Fix #210](https://github.com/t2ym/thin-hook/issues/210), bypassing of ACL for global objects by cloing them to other global objects is avoided. Prior to this version, ACL can be skipped by cloing global objects.
 - **[Vulnerability Fix]** Since [0.0.205](https://github.com/t2ym/thin-hook/releases/tag/0.0.205) with [Fix #208](https://github.com/t2ym/thin-hook/issues/208), scripts via `document.writeln()` are hooked as in `document.write()`. Prior to this version, scripts via `document.writeln()` are not hooked.
 - **[Vulnerability Fix]** Since [0.0.203](https://github.com/t2ym/thin-hook/releases/tag/0.0.203) with [Fix #207](https://github.com/t2ym/thin-hook/issues/207), `textContent` of `script` elements are always treated as JavaScript scripts regardless of their configured MIME types (`type` property/attribute).  Prior to this version, `textContent` of `script` elements containing `__hook__` as strings can be mistaken as **HOOKED** scripts and run without hooking.

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "thin-hook",
-  "version": "0.0.210",
+  "version": "0.0.211",
   "description": "Thin Hook Preprocessor",
   "main": "hook.min.js",
   "authors": [

demo/index.html

@@ -15,7 +15,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?version=491&no-hook-authorization=a97875937535475490e53dc821dd727911895cd63219ca2325632726cf0b2b36,a76edf82708ec2f22814d579950b05e7aad755e976cb140026cc9b648755b219,5b14ec588d93bf30f76972826b2d3d7220a4992c6026a180d87040fbd97eb2a2,9ae7026958590419825ad94aea3df1c519f813a84798bae72e6b4da95ff4f52a,ce8bd5917e14e8e138aecc6a61bc5779668fde1b3f762eb16e609f429d9f9475,d7d18f6488069afcfc6454dc1a635fe598ce1c9154c19e21f3ea3bf514596799,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_pp_&compact=true&service-worker-ready=false"></script></head></html><!--
+  <script src="../../thin-hook/hook.min.js?version=491&no-hook-authorization=bacad049c4f41ff2cb27fee1475e867385ad6390b5bc800c32e7ca70ce46394f,a76edf82708ec2f22814d579950b05e7aad755e976cb140026cc9b648755b219,5b14ec588d93bf30f76972826b2d3d7220a4992c6026a180d87040fbd97eb2a2,9ae7026958590419825ad94aea3df1c519f813a84798bae72e6b4da95ff4f52a,ce8bd5917e14e8e138aecc6a61bc5779668fde1b3f762eb16e609f429d9f9475,d7d18f6488069afcfc6454dc1a635fe598ce1c9154c19e21f3ea3bf514596799,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_pp_&compact=true&service-worker-ready=false"></script></head></html><!--
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>
   <script context-generator no-hook>

demo/original-index.html

@@ -15,7 +15,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?version=491&no-hook-authorization=a97875937535475490e53dc821dd727911895cd63219ca2325632726cf0b2b36,a76edf82708ec2f22814d579950b05e7aad755e976cb140026cc9b648755b219,5b14ec588d93bf30f76972826b2d3d7220a4992c6026a180d87040fbd97eb2a2,9ae7026958590419825ad94aea3df1c519f813a84798bae72e6b4da95ff4f52a,ce8bd5917e14e8e138aecc6a61bc5779668fde1b3f762eb16e609f429d9f9475,d7d18f6488069afcfc6454dc1a635fe598ce1c9154c19e21f3ea3bf514596799,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_pp_&compact=true&service-worker-ready=true"></script>
+  <script src="../../thin-hook/hook.min.js?version=491&no-hook-authorization=bacad049c4f41ff2cb27fee1475e867385ad6390b5bc800c32e7ca70ce46394f,a76edf82708ec2f22814d579950b05e7aad755e976cb140026cc9b648755b219,5b14ec588d93bf30f76972826b2d3d7220a4992c6026a180d87040fbd97eb2a2,9ae7026958590419825ad94aea3df1c519f813a84798bae72e6b4da95ff4f52a,ce8bd5917e14e8e138aecc6a61bc5779668fde1b3f762eb16e609f429d9f9475,d7d18f6488069afcfc6454dc1a635fe598ce1c9154c19e21f3ea3bf514596799,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_pp_&compact=true&service-worker-ready=true"></script>
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>
   <script context-generator no-hook>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "thin-hook",
-  "version": "0.0.210",
+  "version": "0.0.211",
   "description": "Thin Hook Preprocessor",
   "main": "hook.js",
   "scripts": {