Merge pull request #26 from tilfin/feature/firefox-compat

Firefox compatible

.gitignore

@@ -0,0 +1 @@
+dist

README.md

@@ -1,6 +1,6 @@
 # AWS Extend Switch Roles
 
-Extend your AWS IAM switching roles by Chrome extension
+Extend your AWS IAM switching roles by Chrome extension or Firefox add-on
 
 Switch roll history does not remain only 5 maximum on the AWS Management Console.
 This extension extends to show more switch roles by loading your aws configuration.
@@ -10,7 +10,9 @@ The bottom of the console header is emphasized with your specified color if you
 
 ## Install
 
-Go to [AWS Extend Switch Roles - Chrome Web Store](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?utm_source=github)
+[AWS Extend Switch Roles - Chrome Web Store](https://chrome.google.com/webstore/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?utm_source=github)
+
+[AWS Extend Switch Roles :: Add-ons for Firefox](https://addons.mozilla.org/ja/firefox/addon/aws-extend-switch-roles3/)
 
 ## Configuration
 

bin/archive.sh

@@ -4,7 +4,17 @@
 #--
 zipfile=aws-extend-switch-roles.zip
 
+cd dist/chrome;
+\rm $zipfile
 zip -r $zipfile \
   manifest.json *.html icons/ js/ 
+echo "archived: chrome/$zipfile"
 
-echo "archived: $zipfile"
+echo "----"
+
+cd ../firefox;
+\rm $zipfile
+zip -r $zipfile \
+  manifest.json *.html icons/ js/ 
+
+echo "archived: firefox/$zipfile"

bin/build.sh

@@ -2,8 +2,12 @@
 #--
 # build.sh
 #--
-content=js/content.js
-popup=js/popup.js
+
+mkdir -p dist/chrome/js
+mkdir -p dist/firefox/js
+
+content=dist/chrome/js/content.js
+popup=dist/chrome/js/popup.js
 
 cat src/lib/profile.js         > $content
 cat src/content.js            >> $content
@@ -12,4 +16,17 @@ cat src/lib/load_aws_config.js > $popup
 cat src/lib/color_picker.js   >> $popup
 cat src/popup.js              >> $popup
 
+\cp -f $content dist/firefox/js/content.js
+\cp -f $popup   dist/firefox/js/popup.js
+
+\cp -f manifest.json dist/chrome/
+jq -s '.[0] * .[1]' manifest.json manifest_firefox.json > dist/firefox/manifest.json
+
+for brw in `ls dist`
+do
+  \cp src/csrf-setter.js dist/$brw/js/
+  \cp src/sanitizer.js dist/$brw/js/
+  \cp -r *.html dist/$brw/
+  \cp -r icons  dist/$brw/
+done
 echo "build done"

manifest.json

@@ -21,7 +21,10 @@
         "https://phd.aws.amazon.com/*"
       ],
       "all_frames": true,
-      "js": ["js/content.js"],
+      "js": [
+        "js/sanitizer.js",
+        "js/content.js"
+      ],
       "run_at": "document_end"
     }
   ],

manifest_firefox.json

@@ -0,0 +1,10 @@
+{
+  "version": "0.5.3",
+  "applications": {
+    "gecko": {
+      "id": "[email protected]",
+      "strict_min_version": "55.0",
+      "strict_max_version": "55.*"
+    }
+  }
+}

popup.html

@@ -1,8 +1,13 @@
 <!DOCTYPE html>
 <html>
 <head>
+<meta charset="UTF-8">
 <script src="js/popup.js"></script>
 <style>
+body {
+  font-size: 12px;
+  line-height: 1.25;
+}
 a { text-decoration: none }
 .head {
   font-size: 13px;
@@ -23,9 +28,10 @@
   top: 2px;
 }
 #awsConfigTextArea {
+  font-size: 11px;
   padding: 0.5ex;
   resize: none;
-  white-space: nowrap;
+  white-space: pre;
   width:470px;
   height:400px;
 }

src/content.js

@@ -71,22 +71,20 @@ function loadProfiles(profile, list, csrf, hidesHistory, hidesAccountId) {
     if (recentNames.indexOf(name) !== -1) return true;
 
     var color = item.color || 'aaaaaa';
-	  var listItem = document.createElement('li');
-	  listItem.innerHTML = '<form action="https://signin.aws.amazon.com/switchrole" method="POST" target="_top">'
-	    +   '<input type="hidden" name="action" value="switchFromBasis">'
-	    +   '<input type="hidden" name="src" value="nav">'
-	    +   '<input type="hidden" name="roleName" value="' + item.role_name + '">'
-	    +   '<input type="hidden" name="account" value="' + item.aws_account_id + '">'
-	    +   '<input type="hidden" name="mfaNeeded" value="0">'
-	    +   '<input type="hidden" name="color" value="' + color + '">'
-	    +   '<input type="hidden" name="csrf" value="' + csrf + '">'
-	    +   '<input type="hidden" name="redirect_uri" value="https%3A%2F%2Fconsole.aws.amazon.com%2Fs3%2Fhome">'
-	    +   '<label for="awsc-recent-role-switch-0" class="awsc-role-color" style="background-color: #'+color+';">&nbsp;</label>'
-	    +   '<input type="submit" class="awsc-role-submit awsc-role-display-name" name="displayName" value="'
-	    +   name + '" title="' + item.role_name + '@' + item.aws_account_id + '" style="white-space:pre">'
-	    + '</form>';
-
-	  list.appendChild(listItem);
+    list.insertAdjacentHTML('beforeend', Sanitizer.escapeHTML`<li>
+    <form action="https://signin.aws.amazon.com/switchrole" method="POST" target="_top">
+	   <input type="hidden" name="action" value="switchFromBasis">
+	   <input type="hidden" name="src" value="nav">
+	   <input type="hidden" name="roleName" value="${item.role_name}">
+	   <input type="hidden" name="account" value="${item.aws_account_id}">
+	   <input type="hidden" name="mfaNeeded" value="0">
+	   <input type="hidden" name="color" value="${color}">
+	   <input type="hidden" name="csrf" value="${csrf}">
+	   <input type="hidden" name="redirect_uri" value="https%3A%2F%2Fconsole.aws.amazon.com%2Fs3%2Fhome">
+	   <label for="awsc-recent-role-switch-0" class="awsc-role-color" style="background-color: #${color};">&nbsp;</label>
+     <input type="submit" class="awsc-role-submit awsc-role-display-name" name="displayName" value="${name}"
+            title="${item.role_name}@${item.aws_account_id}" style="white-space:pre"></form>
+    </li>`);
   });
 }
 

js/csrf-setter.js → src/csrf-setter.js

@@ -1,7 +1,7 @@
-(function(){
+setTimeout(function(){
   var csrf = AWSC.Auth.getMbtc();
   var forms = document.querySelectorAll('#awsc-username-menu-recent-roles form');
   for (var i = 0, len = forms.length; i < len; i++) {
     forms[i].csrf.value = csrf;
   }
-})();
+}, 200);

src/sanitizer.js

@@ -0,0 +1,87 @@
+/* globals define, module */
+
+/**
+ * A simple library to help you escape HTML using template strings.
+ *
+ * It's the counterpart to our eslint "no-unsafe-innerhtml" plugin that helps us
+ * avoid unsafe coding practices.
+ * A full write-up of the Hows and Whys are documented
+ * for developers at
+ *  https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_Automation
+ * with additional background information and design docs at
+ *  https://wiki.mozilla.org/User:Fbraun/Gaia/SafeinnerHTMLRoadmap
+ *
+ */
+(function (root, factory) {
+  'use strict';
+  if (typeof define === 'function' && define.amd) {
+    define(factory);
+  } else if (typeof exports === 'object') {
+    module.exports = factory();
+  } else {
+    root.Sanitizer = factory();
+  }
+}(this, function () {
+  'use strict';
+
+  var Sanitizer = {
+    _entity: /[&<>"'/]/g,
+
+    _entities: {
+      '&': '&amp;',
+      '<': '&lt;',
+      '>': '&gt;',
+      '"': '&quot;',
+      '\'': '&apos;',
+      '/': '&#x2F;'
+    },
+
+    getEntity: function (s) {
+      return Sanitizer._entities[s];
+    },
+
+    /**
+     * Escapes HTML for all values in a tagged template string.
+     */
+    escapeHTML: function (strings, ...values) {
+      var result = '';
+
+      for (var i = 0; i < strings.length; i++) {
+        result += strings[i];
+        if (i < values.length) {
+          result += String(values[i]).replace(Sanitizer._entity,
+            Sanitizer.getEntity);
+        }
+      }
+
+      return result;
+    },
+    /**
+     * Escapes HTML and returns a wrapped object to be used during DOM insertion
+     */
+    createSafeHTML: function (strings, ...values) {
+      var escaped = Sanitizer.escapeHTML(strings, ...values);
+      return {
+        __html: escaped,
+        toString: function () {
+          return '[object WrappedHTMLObject]';
+        },
+        info: 'This is a wrapped HTML object. See https://developer.mozilla.or'+
+          'g/en-US/Firefox_OS/Security/Security_Automation for more.'
+      };
+    },
+    /**
+     * Unwrap safe HTML created by createSafeHTML or a custom replacement that
+     * underwent security review.
+     */
+    unwrapSafeHTML: function (...htmlObjects) {
+      var markupList = htmlObjects.map(function(obj) {
+        return obj.__html;
+      });
+      return markupList.join('');
+    }
+  };
+
+  return Sanitizer;
+
+}));