allow injected scripts to bypass CORS using provided API

2 files changed, 95 insertions, 0 deletions

diff --git a/content/haketilo_apis.js b/content/haketilo_apis.js
index 36e987d..772e843 100644
--- a/content/haketilo_apis.js
+++ b/content/haketilo_apis.js
@@ -43,7 +43,35 @@
  */
 
 #FROM common/browser.js IMPORT browser
+#FROM common/misc.js    IMPORT error_data_jsonifiable
+
+async function on_CORS_bypass(event) {
+    const name = "haketilo_CORS_bypass";
+
+    console.warn("delme event", event.detail);
+
+    if (typeof event.detail.id   !== "string" ||
+	typeof event.detail.data !== "string") {
+	console.error(`Haketilo: Invalid detail for ${name}:`,
+		      event.detail);
+	return;
+    }
+
+    try {
+	const data = JSON.parse(event.detail.data);
+	var result = await browser.runtime.sendMessage(["CORS_bypass", data]);
+	if (result === undefined)
+	    throw new Error("Couldn't communicate with Haketilo background script.");
+    } catch(e) {
+	var result = {error: error_data_jsonifiable(e)};
+    }
+
+    const response_name = `${name}-${event.detail.id}`;
+    const detail = JSON.stringify(result);
+    window.dispatchEvent(new CustomEvent(response_name, {detail}));
+}
 
 function start() {
+    window.addEventListener("haketilo_CORS_bypass", on_CORS_bypass);
 }
 #EXPORT start
diff --git a/test/haketilo_test/unit/test_haketilo_apis.py b/test/haketilo_test/unit/test_haketilo_apis.py
new file mode 100644
index 0000000..7dca4db
--- /dev/null
+++ b/test/haketilo_test/unit/test_haketilo_apis.py
@@ -0,0 +1,67 @@
+# SPDX-License-Identifier: CC0-1.0
+
+"""
+Haketilo unit tests - exposing some special functionalities to injected scripts
+"""
+
+# This file is part of Haketilo
+#
+# Copyright (C) 2022 Wojtek Kosior <koszko@koszko.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the CC0 1.0 Universal License as published by
+# the Creative Commons Corporation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# CC0 1.0 Universal License for more details.
+
+import pytest
+import json
+from selenium.webdriver.support.ui import WebDriverWait
+
+from ..script_loader import load_script
+from ..world_wide_library import some_data
+
+def content_script():
+    return load_script('content/haketilo_apis.js') + ';\nstart();'
+
+def background_script():
+    return load_script('background/CORS_bypass_server.js') + ';\nstart();'
+
+@pytest.mark.ext_data({
+    'content_script': content_script,
+    'background_script': background_script
+})
+@pytest.mark.usefixtures('webextension')
+def test_haketilo_apis_CORS_bypass(driver):
+    """
+    Verify injected scripts will be able to bypass CORS with the help of
+    Haketilo API.
+    """
+    driver.get('https://gotmyowndoma.in/')
+    driver.execute_script(
+        '''
+        const fetch_arg = {
+            url: "https://anotherdoma.in/resource/blocked/by/CORS.json",
+            init: {}
+        };
+
+        const detail = {
+            data: JSON.stringify(fetch_arg),
+            id:   "abcdef"
+        };
+
+        window.addEventListener("haketilo_CORS_bypass-abcdef",
+                                e => window.__response = e.detail);
+        window.dispatchEvent(new CustomEvent("haketilo_CORS_bypass", {detail}));
+        ''')
+
+    get_response = lambda d: d.execute_script("return window.__response;")
+    response = WebDriverWait(driver, 10).until(get_response)
+    response = json.loads(response)
+
+    assert response['body'] == some_data.encode().hex()
+    assert response['status'] == 200
+    assert type(response['headers']) is list