From fba67f09ddedda6182d35b2fa1478115dc766905 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Thu, 24 Mar 2022 20:42:10 +0100 Subject: allow injected scripts to bypass CORS using provided API --- content/haketilo_apis.js | 28 +++++++++++ test/haketilo_test/unit/test_haketilo_apis.py | 67 +++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 test/haketilo_test/unit/test_haketilo_apis.py diff --git a/content/haketilo_apis.js b/content/haketilo_apis.js index 36e987d..772e843 100644 --- a/content/haketilo_apis.js +++ b/content/haketilo_apis.js @@ -43,7 +43,35 @@ */ #FROM common/browser.js IMPORT browser +#FROM common/misc.js IMPORT error_data_jsonifiable + +async function on_CORS_bypass(event) { + const name = "haketilo_CORS_bypass"; + + console.warn("delme event", event.detail); + + if (typeof event.detail.id !== "string" || + typeof event.detail.data !== "string") { + console.error(`Haketilo: Invalid detail for ${name}:`, + event.detail); + return; + } + + try { + const data = JSON.parse(event.detail.data); + var result = await browser.runtime.sendMessage(["CORS_bypass", data]); + if (result === undefined) + throw new Error("Couldn't communicate with Haketilo background script."); + } catch(e) { + var result = {error: error_data_jsonifiable(e)}; + } + + const response_name = `${name}-${event.detail.id}`; + const detail = JSON.stringify(result); + window.dispatchEvent(new CustomEvent(response_name, {detail})); +} function start() { + window.addEventListener("haketilo_CORS_bypass", on_CORS_bypass); } #EXPORT start diff --git a/test/haketilo_test/unit/test_haketilo_apis.py b/test/haketilo_test/unit/test_haketilo_apis.py new file mode 100644 index 0000000..7dca4db --- /dev/null +++ b/test/haketilo_test/unit/test_haketilo_apis.py @@ -0,0 +1,67 @@ +# SPDX-License-Identifier: CC0-1.0 + +""" +Haketilo unit tests - exposing some special functionalities to injected scripts +""" + +# This file is part of Haketilo +# +# Copyright (C) 2022 Wojtek Kosior +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the CC0 1.0 Universal License as published by +# the Creative Commons Corporation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# CC0 1.0 Universal License for more details. + +import pytest +import json +from selenium.webdriver.support.ui import WebDriverWait + +from ..script_loader import load_script +from ..world_wide_library import some_data + +def content_script(): + return load_script('content/haketilo_apis.js') + ';\nstart();' + +def background_script(): + return load_script('background/CORS_bypass_server.js') + ';\nstart();' + +@pytest.mark.ext_data({ + 'content_script': content_script, + 'background_script': background_script +}) +@pytest.mark.usefixtures('webextension') +def test_haketilo_apis_CORS_bypass(driver): + """ + Verify injected scripts will be able to bypass CORS with the help of + Haketilo API. + """ + driver.get('https://gotmyowndoma.in/') + driver.execute_script( + ''' + const fetch_arg = { + url: "https://anotherdoma.in/resource/blocked/by/CORS.json", + init: {} + }; + + const detail = { + data: JSON.stringify(fetch_arg), + id: "abcdef" + }; + + window.addEventListener("haketilo_CORS_bypass-abcdef", + e => window.__response = e.detail); + window.dispatchEvent(new CustomEvent("haketilo_CORS_bypass", {detail})); + ''') + + get_response = lambda d: d.execute_script("return window.__response;") + response = WebDriverWait(driver, 10).until(get_response) + response = json.loads(response) + + assert response['body'] == some_data.encode().hex() + assert response['status'] == 200 + assert type(response['headers']) is list -- cgit v1.2.3