diff options
author | Wojtek Kosior <koszko@koszko.org> | 2022-01-18 15:57:28 +0100 |
---|---|---|
committer | Wojtek Kosior <koszko@koszko.org> | 2022-01-18 15:57:28 +0100 |
commit | 17614206a6e23900e0ddd91c4e4e40ec08eaec99 (patch) | |
tree | 506206b05328817c9816806cf9731c37f034e291 | |
parent | 31cc63c2b429b768379e1b2ef7598242d0b36d18 (diff) | |
download | browser-extension-17614206a6e23900e0ddd91c4e4e40ec08eaec99.tar.gz browser-extension-17614206a6e23900e0ddd91c4e4e40ec08eaec99.zip |
facilitate making CORS-agnostic requests through background script
-rw-r--r-- | background/CORS_bypass_server.js | 90 | ||||
-rw-r--r-- | test/unit/test_CORS_bypass_server.py | 110 | ||||
-rw-r--r-- | test/world_wide_library.py | 5 |
3 files changed, 205 insertions, 0 deletions
diff --git a/background/CORS_bypass_server.js b/background/CORS_bypass_server.js new file mode 100644 index 0000000..cbed945 --- /dev/null +++ b/background/CORS_bypass_server.js @@ -0,0 +1,90 @@ +/** + * This file is part of Haketilo. + * + * Function: Allow other parts of the extension to bypass CORS by routing their + * request through this background script using one-off messages. + * + * Copyright (C) 2022 Wojtek Kosior <koszko@koszko.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * As additional permission under GNU GPL version 3 section 7, you + * may distribute forms of that code without the copy of the GNU + * GPL normally required by section 4, provided you include this + * license notice and, in case of non-source distribution, a URL + * through which recipients can access the Corresponding Source. + * If you modify file(s) with this exception, you may extend this + * exception to your version of the file(s), but you are not + * obligated to do so. If you do not wish to do so, delete this + * exception statement from your version. + * + * As a special exception to the GPL, any HTML file which merely + * makes function calls to this code, and for that purpose + * includes it by reference shall be deemed a separate work for + * copyright law purposes. If you modify this code, you may extend + * this exception to your version of the code, but you are not + * obligated to do so. If you do not wish to do so, delete this + * exception statement from your version. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * I, Wojtek Kosior, thereby promise not to sue for violation of this file's + * license. Although I request that you do not make use of this code in a + * proprietary program, I am not going to enforce this in court. + */ + +#FROM common/browser.js IMPORT browser + +async function get_prop(object, prop, result_object, call_prop=false) { + try { + result_object[prop] = call_prop ? (await object[prop]()) : object[prop]; + } catch(e) { + result_object[`error-${prop}`] = "" + e; + } +} + +async function perform_download(fetch_data, respond_cb) { + try { + const response = await fetch(fetch_data.url); + const result = {}; + + for (const prop of (fetch_data.to_get || [])) + get_prop(response, prop, result); + + const to_call = (fetch_data.to_call || []); + const promises = []; + for (let i = 0; i < to_call.length; i++) { + const response_to_use = i === to_call.length - 1 ? + response : response.clone(); + promises.push(get_prop(response_to_use, to_call[i], result, true)); + } + + await Promise.all(promises); + return result; + } catch(e) { + return {error: "" + e}; + } +} + +function on_CORS_bypass_request([type, fetch_data], sender, respond_cb) { + if (type !== "CORS_bypasss") + return; + + perform_download(fetch_data).then(respond_cb); + + return true; +} + +function start() { + browser.runtime.onMessage.addListener(on_CORS_bypass_request); +} +#EXPORT start diff --git a/test/unit/test_CORS_bypass_server.py b/test/unit/test_CORS_bypass_server.py new file mode 100644 index 0000000..35ea565 --- /dev/null +++ b/test/unit/test_CORS_bypass_server.py @@ -0,0 +1,110 @@ +# SPDX-License-Identifier: CC0-1.0 + +""" +Haketilo unit tests - routing HTTP requests through background script +""" + +# This file is part of Haketilo +# +# Copyright (C) 2022 Wojtek Kosior <koszko@koszko.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the CC0 1.0 Universal License as published by +# the Creative Commons Corporation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# CC0 1.0 Universal License for more details. + +import pytest +import json +from selenium.webdriver.support.ui import WebDriverWait + +from ..extension_crafting import ExtraHTML +from ..script_loader import load_script +from ..world_wide_library import some_data + +urls = { + 'resource': 'https://anotherdoma.in/resource/blocked/by/CORS.json', + 'nonexistent': 'https://nxdoma.in/resource.json', + 'invalid': 'w3csucks://invalid.url/' +} + +content_script = '''\ +const urls = %s; + +function fetch_data(url) { + return { + url, + to_get: ["ok", "status"], + to_call: ["text", "json"] + }; +} + +async function fetch_resources() { + const results = {}; + const promises = []; + for (const [name, url] of Object.entries(urls)) { + const sending = browser.runtime.sendMessage(["CORS_bypasss", + fetch_data(url)]); + promises.push(sending.then(response => results[name] = response)); + } + + await Promise.all(promises); + + window.wrappedJSObject.haketilo_fetch_results = results; +} + +fetch_resources(); +''' + +content_script = content_script % json.dumps(urls); + +@pytest.mark.ext_data({ + 'content_script': content_script, + 'background_script': + lambda: load_script('background/CORS_bypass_server.js') + '; start();' +}) +@pytest.mark.usefixtures('webextension') +def test_CORS_bypass_server(driver, execute_in_page): + """ + Test if CORS bypassing works and if errors get properly forwarded. + """ + driver.get('https://gotmyowndoma.in/') + + # First, verify that requests without CORS bypass measures fail. + results = execute_in_page( + ''' + const result = {}; + let promises = []; + for (const [name, url] of Object.entries(arguments[0])) { + const [ok_cb, err_cb] = + ["ok", "err"].map(status => () => result[name] = status); + promises.push(fetch(url).then(ok_cb, err_cb)); + } + // Make the promises non-failing. + promises = promises.map(p => new Promise(cb => p.then(cb, cb))); + returnval(Promise.all(promises).then(() => result)); + ''', + {**urls, 'sameorigin': './nonexistent_resource'}) + + assert results == dict([*[(k, 'err') for k in urls.keys()], + ('sameorigin', 'ok')]) + + done = lambda d: d.execute_script('return window.haketilo_fetch_results;') + results = WebDriverWait(driver, 10).until(done) + + assert set(results['invalid'].keys()) == {'error'} + + assert set(results['nonexistent'].keys()) == \ + {'ok', 'status', 'text', 'error-json'} + assert results['nonexistent']['ok'] == False + assert results['nonexistent']['status'] == 404 + assert results['nonexistent']['text'] == 'Handler for this URL not found.' + + assert set(results['resource'].keys()) == {'ok', 'status', 'text', 'json'} + assert results['resource']['ok'] == True + assert results['resource']['status'] == 200 + assert results['resource']['text'] == some_data + assert results['resource']['json'] == json.loads(some_data) diff --git a/test/world_wide_library.py b/test/world_wide_library.py index f66a6d5..bed6ec3 100644 --- a/test/world_wide_library.py +++ b/test/world_wide_library.py @@ -85,6 +85,8 @@ def dump_scripts(directory='./injected_scripts'): file.write(script) served_scripts_lock.release() +some_data = '{"some": "data"}' + catalog = { 'http://gotmyowndoma.in': (302, {'location': 'http://gotmyowndoma.in/index.html'}, None), @@ -103,6 +105,9 @@ catalog = { 'https://gotmyowndoma.in/scripts_to_block_1.html': (200, {}, here / 'data' / 'pages' / 'scripts_to_block_1.html'), + 'https://anotherdoma.in/resource/blocked/by/CORS.json': + lambda command, get_params, post_params: (200, {}, some_data), + 'https://serve.scrip.ts/': serve_script, 'https://site.with.scripts.block.ed': |