diff options
author | Wojtek Kosior <koszko@koszko.org> | 2021-11-20 18:29:59 +0100 |
---|---|---|
committer | Wojtek Kosior <koszko@koszko.org> | 2021-11-20 18:29:59 +0100 |
commit | 96068ada37bfa1d7e6485551138ba36600664caf (patch) | |
tree | 8c471e2b16a37d3ea83843385ee9c89859313046 /background | |
parent | bd767301579c2253d34f60d4ebc4a647cbee5a53 (diff) | |
download | browser-extension-96068ada37bfa1d7e6485551138ba36600664caf.tar.gz browser-extension-96068ada37bfa1d7e6485551138ba36600664caf.zip |
replace cookies with synchronous XmlHttpRequest as policy smuggling method.
Note: this breaks Mozilla port of Haketilo. Synchronous XmlHttpRequest doesn't work as well there. This will be fixed with dynamically-registered content scripts later.
Diffstat (limited to 'background')
-rw-r--r-- | background/cookie_filter.js | 46 | ||||
-rw-r--r-- | background/main.js | 120 | ||||
-rw-r--r-- | background/page_actions_server.js | 32 | ||||
-rw-r--r-- | background/policy_injector.js | 67 | ||||
-rw-r--r-- | background/stream_filter.js | 6 |
5 files changed, 115 insertions, 156 deletions
diff --git a/background/cookie_filter.js b/background/cookie_filter.js deleted file mode 100644 index 64d18b2..0000000 --- a/background/cookie_filter.js +++ /dev/null @@ -1,46 +0,0 @@ -/** - * This file is part of Haketilo. - * - * Function: Filtering request headers to remove haketilo cookies that might - * have slipped through. - * - * Copyright (C) 2021 Wojtek Kosior - * Redistribution terms are gathered in the `copyright' file. - */ - -/* - * IMPORTS_START - * IMPORT extract_signed - * IMPORTS_END - */ - -function is_valid_haketilo_cookie(cookie) -{ - const match = /^haketilo-(\w*)=(.*)$/.exec(cookie); - if (!match) - return false; - - return !extract_signed(match.slice(1, 3)).fail; -} - -function remove_haketilo_cookies(header) -{ - if (header.name !== "Cookie") - return header; - - const cookies = header.value.split("; "); - const value = cookies.filter(c => !is_valid_haketilo_cookie(c)).join("; "); - - return value ? {name: "Cookie", value} : null; -} - -function filter_cookie_headers(headers) -{ - return headers.map(remove_haketilo_cookies).filter(h => h); -} - -/* - * EXPORTS_START - * EXPORT filter_cookie_headers - * EXPORTS_END - */ diff --git a/background/main.js b/background/main.js index 40b3a9e..9cdfb97 100644 --- a/background/main.js +++ b/background/main.js @@ -17,11 +17,10 @@ * IMPORT browser * IMPORT is_privileged_url * IMPORT query_best - * IMPORT gen_nonce * IMPORT inject_csp_headers * IMPORT apply_stream_filter - * IMPORT filter_cookie_headers * IMPORT is_chrome + * IMPORT is_mozilla * IMPORTS_END */ @@ -51,34 +50,53 @@ async function init_ext(install_details) browser.runtime.onInstalled.addListener(init_ext); +/* + * The function below implements a more practical interface for what it does by + * wrapping the old query_best() function. + */ +function decide_policy_for_url(storage, policy_observable, url) +{ + if (storage === undefined) + return {allow: false}; + + const settings = + {allow: policy_observable !== undefined && policy_observable.value}; + + const [pattern, queried_settings] = query_best(storage, url); + + if (queried_settings) { + settings.payload = queried_settings.components; + settings.allow = !!queried_settings.allow && !settings.payload; + settings.pattern = pattern; + } + + return settings; +} let storage; let policy_observable = {}; -function on_headers_received(details) +function sanitize_web_page(details) { const url = details.url; if (is_privileged_url(details.url)) return; - const [pattern, settings] = query_best(storage, details.url); - const has_payload = !!(settings && settings.components); - const allow = !has_payload && - !!(settings ? settings.allow : policy_observable.value); - const nonce = gen_nonce(); - const policy = {allow, url, nonce, has_payload}; + const policy = + decide_policy_for_url(storage, policy_observable, details.url); let headers = details.responseHeaders; + + headers = inject_csp_headers(headers, policy); + let skip = false; for (const header of headers) { if ((header.name.toLowerCase().trim() === "content-disposition" && /^\s*attachment\s*(;.*)$/i.test(header.value))) skip = true; } - - headers = inject_csp_headers(headers, policy); - skip = skip || (details.statusCode >= 300 && details.statusCode < 400); + if (!skip) { /* Check for API availability. */ if (browser.webRequest.filterResponseData) @@ -88,11 +106,49 @@ function on_headers_received(details) return {responseHeaders: headers}; } -function on_before_send_headers(details) +const request_url_regex = /^[^?]*\?url=(.*)$/; +const redirect_url_template = browser.runtime.getURL("dummy") + "?settings="; + +function synchronously_smuggle_policy(details) { - let headers = details.requestHeaders; - headers = filter_cookie_headers(headers); - return {requestHeaders: headers}; + /* + * Content script will make a synchronous XmlHttpRequest to extension's + * `dummy` file to query settings for given URL. We smuggle that + * information in query parameter of the URL we redirect to. + * A risk of fingerprinting arises if a page with script execution allowed + * guesses the dummy file URL and makes an AJAX call to it. It is currently + * a problem in ManifestV2 Chromium-family port of Haketilo because Chromium + * uses predictable URLs for web-accessible resources. We plan to fix it in + * the future ManifestV3 port. + */ + if (details.type !== "xmlhttprequest") + return {cancel: true}; + + console.debug(`Settings queried using XHR for '${details.url}'.`); + + let policy = {allow: false}; + + try { + /* + * request_url should be of the following format: + * <url_for_extension's_dummy_file>?url=<valid_urlencoded_url> + */ + const match = request_url_regex.exec(details.url); + const queried_url = decodeURIComponent(match[1]); + + if (details.initiator && !queried_url.startsWith(details.initiator)) { + console.warn(`Blocked suspicious query of '${url}' by '${details.initiator}'. This might be the result of page fingerprinting the browser.`); + return {cancel: true}; + } + + policy = decide_policy_for_url(storage, policy_observable, queried_url); + } catch (e) { + console.warn(`Bad request! Expected ${browser.runtime.getURL("dummy")}?url=<valid_urlencoded_url>. Got ${request_url}. This might be the result of page fingerprinting the browser.`); + } + + const encoded_policy = encodeURIComponent(JSON.stringify(policy)); + + return {redirectUrl: redirect_url_template + encoded_policy}; } const all_types = [ @@ -110,18 +166,40 @@ async function start_webRequest_operations() extra_opts.push("extraHeaders"); browser.webRequest.onHeadersReceived.addListener( - on_headers_received, + sanitize_web_page, {urls: ["<all_urls>"], types: ["main_frame", "sub_frame"]}, extra_opts.concat("responseHeaders") ); - browser.webRequest.onBeforeSendHeaders.addListener( - on_before_send_headers, - {urls: ["<all_urls>"], types: all_types}, - extra_opts.concat("requestHeaders") + const dummy_url_pattern = browser.runtime.getURL("dummy") + "?url=*"; + browser.webRequest.onBeforeRequest.addListener( + synchronously_smuggle_policy, + {urls: [dummy_url_pattern], types: ["xmlhttprequest"]}, + extra_opts ); policy_observable = await light_storage.observe_var("default_allow"); } start_webRequest_operations(); + +const code = `\ +console.warn("Hi, I'm Mr Dynamic!"); + +console.debug("let's see how window.killtheweb looks like now"); + +console.log("killtheweb", window.killtheweb); +` + +async function test_dynamic_content_scripts() +{ + browser.contentScripts.register({ + "js": [{code}], + "matches": ["<all_urls>"], + "allFrames": true, + "runAt": "document_start" +}); +} + +if (is_mozilla) + test_dynamic_content_scripts(); diff --git a/background/page_actions_server.js b/background/page_actions_server.js index 156a79f..74783c9 100644 --- a/background/page_actions_server.js +++ b/background/page_actions_server.js @@ -16,34 +16,12 @@ * IMPORT browser * IMPORT listen_for_connection * IMPORT sha256 - * IMPORT query_best * IMPORT make_ajax_request * IMPORTS_END */ var storage; var handler; -let policy_observable; - -function send_actions(url, port) -{ - const [pattern, queried_settings] = query_best(storage, url); - - const settings = {allow: policy_observable && policy_observable.value}; - Object.assign(settings, queried_settings); - if (settings.components) - settings.allow = false; - - const repos = storage.get_all(TYPE_PREFIX.REPO); - - port.postMessage(["settings", [pattern, settings, repos]]); - - const components = settings.components; - const processed_bags = new Set(); - - if (components !== undefined) - send_scripts([components], port, processed_bags); -} // TODO: parallelize script fetching async function send_scripts(components, port, processed_bags) @@ -116,9 +94,11 @@ async function fetch_remote_script(script_data) function handle_message(port, message, handler) { port.onMessage.removeListener(handler[0]); - let url = message.url; - console.log({url}); - send_actions(url, port); + console.debug(`Loading payload '${message.payload}'.`); + + const processed_bags = new Set(); + + send_scripts([message.payload], port, processed_bags); } function new_connection(port) @@ -134,8 +114,6 @@ async function start_page_actions_server() storage = await get_storage(); listen_for_connection(CONNECTION_TYPE.PAGE_ACTIONS, new_connection); - - policy_observable = await light_storage.observe_var("default_allow"); } /* diff --git a/background/policy_injector.js b/background/policy_injector.js index 881595b..b49ec47 100644 --- a/background/policy_injector.js +++ b/background/policy_injector.js @@ -10,77 +10,28 @@ /* * IMPORTS_START - * IMPORT sign_data - * IMPORT extract_signed * IMPORT make_csp_rule * IMPORT csp_header_regex + * Re-enable the import below once nonce stuff here is ready + * !mport gen_nonce * IMPORTS_END */ function inject_csp_headers(headers, policy) { let csp_headers; - let old_signature; - let haketilo_header; - for (const header of headers.filter(h => h.name === "x-haketilo")) { - /* x-haketilo header has format: <signature>_0_<data> */ - const match = /^([^_]+)_(0_.*)$/.exec(header.value); - if (!match) - continue; + if (policy.payload) { + headers = headers.filter(h => !csp_header_regex.test(h.name)); - const result = extract_signed(...match.slice(1, 3)); - if (result.fail) - continue; + // TODO: make CSP rules with nonces and facilitate passing them to + // content scripts via dynamic content script registration or + // synchronous XHRs - /* This should succeed - it's our self-produced valid JSON. */ - const old_data = JSON.parse(decodeURIComponent(result.data)); - - /* Confirmed- it's the originals, smuggled in! */ - csp_headers = old_data.csp_headers; - old_signature = old_data.policy_sig; - - haketilo_header = header; - break; + // policy.nonce = gen_nonce(); } - if (policy.has_payload) { - csp_headers = []; - const non_csp_headers = []; - const header_list = - h => csp_header_regex.test(h) ? csp_headers : non_csp_headers; - headers.forEach(h => header_list(h.name).push(h)); - headers = non_csp_headers; - } else { - headers.push(...csp_headers || []); - } - - if (!haketilo_header) { - haketilo_header = {name: "x-haketilo"}; - headers.push(haketilo_header); - } - - if (old_signature) - headers = headers.filter(h => h.value.search(old_signature) === -1); - - const policy_str = encodeURIComponent(JSON.stringify(policy)); - const signed_policy = sign_data(policy_str, new Date().getTime()); - const later_30sec = new Date(new Date().getTime() + 30000).toGMTString(); - headers.push({ - name: "Set-Cookie", - value: `haketilo-${signed_policy.join("=")}; Expires=${later_30sec};` - }); - - /* - * Smuggle in the signature and the original CSP headers for future use. - * These are signed with a time of 0, as it's not clear there is a limit on - * how long Firefox might retain headers in the cache. - */ - let haketilo_data = {csp_headers, policy_sig: signed_policy[0]}; - haketilo_data = encodeURIComponent(JSON.stringify(haketilo_data)); - haketilo_header.value = sign_data(haketilo_data, 0).join("_"); - - if (!policy.allow) { + if (!policy.allow && (policy.nonce || !policy.payload)) { headers.push({ name: "content-security-policy", value: make_csp_rule(policy) diff --git a/background/stream_filter.js b/background/stream_filter.js index e5e0827..e5d124c 100644 --- a/background/stream_filter.js +++ b/background/stream_filter.js @@ -174,8 +174,7 @@ function filter_data(properties, event) * as harmless anyway). */ - const dummy_script = - `<script data-haketilo-deleteme="${properties.policy.nonce}" nonce="${properties.policy.nonce}">null</script>`; + const dummy_script = `<script>null</script>`; const doctype_decl = /^(\s*<!doctype[^<>"']*>)?/i.exec(decoded)[0]; decoded = doctype_decl + dummy_script + decoded.substring(doctype_decl.length); @@ -189,11 +188,10 @@ function filter_data(properties, event) function apply_stream_filter(details, headers, policy) { - if (!policy.has_payload) + if (!policy.payload) return headers; const properties = properties_from_headers(headers); - properties.policy = policy; properties.filter = browser.webRequest.filterResponseData(details.requestId); |