diff options
Diffstat (limited to 'background/webrequest.js')
| -rw-r--r-- | background/webrequest.js | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/background/webrequest.js b/background/webrequest.js new file mode 100644 index 0000000..e32947a --- /dev/null +++ b/background/webrequest.js @@ -0,0 +1,189 @@ +/** + * This file is part of Haketilo. + * + * Function: Modify HTTP traffic usng webRequest API. + * + * Copyright (C) 2021 Wojtek Kosior <koszko@koszko.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * As additional permission under GNU GPL version 3 section 7, you + * may distribute forms of that code without the copy of the GNU + * GPL normally required by section 4, provided you include this + * license notice and, in case of non-source distribution, a URL + * through which recipients can access the Corresponding Source. + * If you modify file(s) with this exception, you may extend this + * exception to your version of the file(s), but you are not + * obligated to do so. If you do not wish to do so, delete this + * exception statement from your version. + * + * As a special exception to the GPL, any HTML file which merely + * makes function calls to this code, and for that purpose + * includes it by reference shall be deemed a separate work for + * copyright law purposes. If you modify this code, you may extend + * this exception to your version of the code, but you are not + * obligated to do so. If you do not wish to do so, delete this + * exception statement from your version. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/>. + * + * I, Wojtek Kosior, thereby promise not to sue for violation of this file's + * license. Although I request that you do not make use this code in a + * proprietary program, I am not going to enforce this in court. + */ + +#IMPORT common/indexeddb.js AS haketilodb +#IF MOZILLA +#IMPORT background/stream_filter.js +#ENDIF + +#FROM common/browser.js IMPORT browser +#FROM common/misc.js IMPORT is_privileged_url, csp_header_regex +#FROM common/policy.js IMPORT decide_policy + +#FROM background/patterns_query_manager.js IMPORT tree + +let secret; + +let default_allow = false; + +async function track_default_allow() +{ + const set_val = ch => default_allow = (ch.new_val || {}).value; + const [tracking, settings] = await haketilodb.track.settings(set_val); + for (const setting of settings) { + if (setting.name === "default_allow") + default_allow = setting.value; + } +} + +function on_headers_received(details) +{ + const url = details.url; + if (is_privileged_url(details.url)) + return; + + let headers = details.responseHeaders; + + const policy = decide_policy(tree, details.url, default_allow, secret); + if (policy.allow) + return; + + if (policy.payload) + headers = headers.filter(h => !csp_header_regex.test(h.name)); + + headers.push({name: "Content-Security-Policy", value: policy.csp}); + +#IF MOZILLA + let skip = false; + for (const header of headers) { + if (header.name.toLowerCase().trim() !== "content-disposition") + continue; + + if (/^\s*attachment\s*(;.*)$/i.test(header.value)) { + skip = true; + } else { + skip = false; + break; + } + } + skip = skip || (details.statusCode >= 300 && details.statusCode < 400); + + if (!skip) + headers = stream_filter.apply(details, headers, policy); +#ENDIF + + return {responseHeaders: headers}; +} + +#IF CHROMIUM && MV2 +const request_url_regex = /^[^?]*\?url=(.*)$/; +const redirect_url_template = browser.runtime.getURL("dummy") + "?settings="; + +function on_before_request(details) +{ + /* + * Content script will make a synchronous XmlHttpRequest to extension's + * `dummy` file to query settings for given URL. We smuggle that + * information in query parameter of the URL we redirect to. + * A risk of fingerprinting arises if a page with script execution allowed + * guesses the dummy file URL and makes an AJAX call to it. It is currently + * a problem in ManifestV2 Chromium-family port of Haketilo because Chromium + * uses predictable URLs for web-accessible resources. We plan to fix it in + * the future ManifestV3 port. + */ + if (details.type !== "xmlhttprequest") + return {cancel: true}; + +#IF DEBUG + console.debug(`Settings queried using XHR for '${details.url}'.`); +#ENDIF + + /* + * request_url should be of the following format: + * <url_for_extension's_dummy_file>?url=<valid_urlencoded_url> + */ + const match = request_url_regex.exec(details.url); + if (match) { + const queried_url = decodeURIComponent(match[1]); + + if (details.initiator && !queried_url.startsWith(details.initiator)) { + console.warn(`Blocked suspicious query of '${url}' by '${details.initiator}'. This might be the result of page fingerprinting the browser.`); + return {cancel: true}; + } + + const policy = decide_policy(tree, details.url, default_allow, secret); + if (!policy.error) { + const encoded_policy = encodeURIComponent(JSON.stringify(policy)); + return {redirectUrl: redirect_url_template + encoded_policy}; + } + } + + console.warn(`Bad request! Expected ${browser.runtime.getURL("dummy")}?url=<valid_urlencoded_url>. Got ${request_url}. This might be the result of page fingerprinting the browser.`); + + return {cancel: true}; +} + +const all_types = [ + "main_frame", "sub_frame", "stylesheet", "script", "image", "font", + "object", "xmlhttprequest", "ping", "csp_report", "media", "websocket", + "other", "main_frame", "sub_frame" +]; +#ENDIF + +async function start(secret_) +{ + secret = secret_; + +#IF CHROMIUM + const extra_opts = ["blocking", "extraHeaders"]; +#ELSE + const extra_opts = ["blocking"]; +#ENDIF + + browser.webRequest.onHeadersReceived.addListener( + on_headers_received, + {urls: ["<all_urls>"], types: ["main_frame", "sub_frame"]}, + extra_opts.concat("responseHeaders") + ); + +#IF CHROMIUM && MV2 + browser.webRequest.onBeforeRequest.addListener( + on_before_request, + {urls: [browser.runtime.getURL("dummy") + "*"], types: all_types}, + extra_opts + ); +#ENDIF + + await track_default_allow(); +} +#EXPORT start |