Firefox: Disable window.location on website

Question

I'm trying to prevent a certain site from being able to use javascript to redirect the browser to another page. The script in question is an inline script so Greasemonkey and adBlock can't do anything about it.

Configurable Security Policies (CAPS) seems to be the answer but I can't get it to work for window.location and all my searches are turning up nothing useful. The script looks like this:

<script>
        window.location = "someotherpage.html";
</script>

And this is what I've tried in my user.js file:

user_pref("capability.policy.policynames", "noredirect");
user_pref("capability.policy.noredirect.sites", "http://www.zshare.net http://127.0.0.1");        
user_pref("capability.policy.noredirect.Window.Location.replace", "noAccess");
user_pref("capability.policy.noredirect.Window.Location.assign", "noAccess");
user_pref("capability.policy.noredirect.Window.Location.reload", "noAccess");
user_pref("capability.policy.noredirect.Window.Location", "noAccess");
user_pref("capability.policy.noredirect.Document.Location.replace", "noAccess");
user_pref("capability.policy.noredirect.Document.Location.assign", "noAccess");
user_pref("capability.policy.noredirect.Document.Location.reload", "noAccess");
user_pref("capability.policy.noredirect.Document.Location", "noAccess");
user_pref("capability.policy.noredirect.Location.replace", "noAccess");
user_pref("capability.policy.noredirect.Location.assign", "noAccess");
user_pref("capability.policy.noredirect.Location.reload", "noAccess");
user_pref("capability.policy.noredirect.Location", "noAccess");

I've been testing it out on a locally hosted page and I was able to block the alert function, but nothing I try has been able to disable window.location.

Does anyone know how to do this?

Answer 1

The only foolproof way is to write your own Firefox add-on. Greasemonkey cannot do it because javascript, such as beforeunload, cannot block window.location = "..." redirects.

However, I have blocked sites from doing this using NoScript and/or RequestPolicy. Neither approach is perfect but they may work for you.

• Ideally use NoScript to block JS for the site. This will stop the window.location.
  Many sites work acceptably without JS. If this site really needs JS, then NoScript won't help you with the location issue. But NoScript, like AdBlock, is great for speeding up the net and cutting back the crud.

• The next possible fix is to use RequestPolicy. RequestPolicy can block just requests from site_A to site_B for example (while allowing site_B in other circumstances).

  This will work as long as the window.location is to a page on another site. If it's same-site, then the custom add-on is the only alternative.

  Beware that RequestPolicy shuts down most everything, by default, and requires you to whitelist acceptable sites. This means that it requires a fair bit of training/configuration.

  The good part is that it can stop just about all the cross-site shenanigans that are rampant on the web -- which is how Facebook, Google, etc. track your every move and how a lot of security exploits are perpetrated.

• If the first 2 options won't work, then another possibility is to:

  1. Save a copy of all the page's JS that you want/need.
  2. Edit out any bad parts.
  3. Load that JS into the GM script using the // @require directive or just paste in the code.
  4. Then use NoScript to completely stop the page's JS. This is OK because GM JS will run, even if NoScript blocks the page's JS.
  5. The only drawback is that sometimes the page's JS will need refactoring to port to the GM script. Most of the time it will drop right in, however.
     
     

• If none of the above works, your only option is to write your own FF add-on.

Answer 2

Although not a Firefox solution to your problem, how about an alternative solution?

In Opera, all you need is a simple regex that will find and replace the script. No complex extension, just a simple user JS file, which would look like this.

Disable redirection 1.00.js:

// ==UserScript==
// @name Disable redirection
// @version 1.00
// @description Disables redirection.
// @namespace http://superuser.com/questions/353339/firefox-disable-window-location-on-website/511703#511703
// @copyright 2012
// @author XP1
// @homepage https://github.com/XP1/
// @license Apache License, Version 2.0; http://www.apache.org/licenses/LICENSE-2.0
// @include http*://example.com/*
// @include http*://*.example.com/*
// ==/UserScript==

/*
 * Copyright 2012 XP1
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/*jslint browser: true, vars: true, maxerr: 50, indent: 4 */
(function (opera) {
    "use strict";

    var isReplaced = false;

    function replaceJs(userJsEvent) {
        if (isReplaced) {
            return;
        }

        var element = userJsEvent.element;
        element.text = element.text.replace(/window\.location = "someotherpage\.html";/g, "");

        isReplaced = true;
    }

    opera.addEventListener("BeforeScript", function listener(userJsEvent) {
        if (isReplaced) {
            opera.removeEventListener("BeforeScript", listener, false);
            return;
        }

        replaceJs(userJsEvent);
    }, false);
}(this.opera));