re-add the ability to allow/block individual scripts in Shields (webui part)

[spylogsster]

Resolves brave/brave-browser#28510

block.mp4

Submitter Checklist:

• I confirm that no security/privacy review is needed, or that I have requested one
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally:
  • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
  • npm run lint, npm run presubmit wiki, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Custom-Headers
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Test Plan:

• Go to cnn.com and block/allow scripts in Shield panel

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[nullhook]

If onPermissionButtonClick is a required prop, why are we checking if it exists here? If the permission button is conditionally rendering, it would make sense to allow null/undefined values for the prop, which should be consistent throughout the call stack.

[spylogsster]

it can be undefined as suggested by @fallaciousreasoning above #17221 (comment)

export type PermissionButtonHandler =
  ((name: string) => void) | undefined

false was not compiled, undefined works

[spylogsster]

the handler was suggested in #17221 (comment)

[spylogsster]

Changed type of onPermissionButtonClick and made parameter optional

[nullhook]

Looks good!

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[fallaciousreasoning]

Thanks for that @spylogsster!

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[bridiver]

block allowed scripts? Can you please add a comment explaining what it does because it makes no sense to block an allowed script.

[bridiver]

I think this should probably be BlockScriptsOnce to match AllowScriptsOnce?

[bridiver]

I don't see any tests to verify that this actually blocks/allows the individual scripts on the page and I'm not really sure how it can work correctly given that

bool BraveContentSettingsAgentImpl::IsScriptTemporilyAllowed(
    const GURL& script_url) {
  // Check if scripts from this origin are temporily allowed or not.
  // Also matches the full script URL to support data URL cases which we use
  // the full URL to allow it.
  bool allow = base::Contains(temporarily_allowed_scripts_,
                              url::Origin::Create(script_url).Serialize()) ||
               base::Contains(temporarily_allowed_scripts_, script_url.spec());

hasn't changed. The test here https://github.com/brave/brave-core/pull/17152/files#diff-7274b75afeaaeb25be8467441f13ad371269f1ba1c637e3fee2a1714f80c8003R201 is not sufficient because you need two different scripts with the same origin to verify that you are blocking by the full script url and not just the origin.

If I'm missing something here and this does work then at the very least the comment needs to be changed, but I'm pretty sure it won't work correctly with more than one script from the same domain

[bridiver]

SetAllowScriptsFromOriginsOnce only matches based on origin so having a full script url in this list seems confusing at best