/** * This file is part of Haketilo. * * Function: Modify HTTP traffic usng webRequest API. * * Copyright (C) 2021 Wojtek Kosior * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * As additional permission under GNU GPL version 3 section 7, you * may distribute forms of that code without the copy of the GNU * GPL normally required by section 4, provided you include this * license notice and, in case of non-source distribution, a URL * through which recipients can access the Corresponding Source. * If you modify file(s) with this exception, you may extend this * exception to your version of the file(s), but you are not * obligated to do so. If you do not wish to do so, delete this * exception statement from your version. * * As a special exception to the GPL, any HTML file which merely * makes function calls to this code, and for that purpose * includes it by reference shall be deemed a separate work for * copyright law purposes. If you modify this code, you may extend * this exception to your version of the code, but you are not * obligated to do so. If you do not wish to do so, delete this * exception statement from your version. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * I, Wojtek Kosior, thereby promise not to sue for violation of this file's * license. Although I request that you do not make use of this code in a * proprietary program, I am not going to enforce this in court. */ #IMPORT common/indexeddb.js AS haketilodb #IF MOZILLA #IMPORT background/stream_filter.js #ENDIF #FROM common/browser.js IMPORT browser #FROM common/misc.js IMPORT is_privileged_url, csp_header_regex #FROM common/policy.js IMPORT decide_policy #FROM background/patterns_query_manager.js IMPORT tree, default_allow let secret; function on_headers_received(details) { const url = details.url; if (is_privileged_url(details.url)) return; let headers = details.responseHeaders; const policy = decide_policy(tree, details.url, !!default_allow.value, secret); if (policy.allow) return; if (policy.payload) headers = headers.filter(h => !csp_header_regex.test(h.name)); headers.push({name: "Content-Security-Policy", value: policy.csp}); #IF MOZILLA let skip = false; for (const header of headers) { if (header.name.toLowerCase().trim() !== "content-disposition") continue; if (/^\s*attachment\s*(;.*)$/i.test(header.value)) { skip = true; } else { skip = false; break; } } skip = skip || (details.statusCode >= 300 && details.statusCode < 400); if (!skip) headers = stream_filter.apply(details, headers, policy); #ENDIF return {responseHeaders: headers}; } #IF CHROMIUM && MV2 const request_url_regex = /^[^?]*\?url=(.*)$/; const redirect_url_template = browser.runtime.getURL("dummy") + "?settings="; function on_before_request(details) { /* * Content script will make a synchronous XmlHttpRequest to extension's * `dummy` file to query settings for given URL. We smuggle that * information in query parameter of the URL we redirect to. * A risk of fingerprinting arises if a page with script execution allowed * guesses the dummy file URL and makes an AJAX call to it. It is currently * a problem in ManifestV2 Chromium-family port of Haketilo because Chromium * uses predictable URLs for web-accessible resources. We plan to fix it in * the future ManifestV3 port. */ if (details.type !== "xmlhttprequest") return {cancel: true}; if (details.url.startsWith(redirect_url_template)) return; #IF DEBUG console.debug(`Haketilo: Settings queried using XHR for '${details.url}'.`); #ENDIF /* * request_url should be of the following format: * ?url= */ const match = request_url_regex.exec(details.url); if (match) { const queried_url = decodeURIComponent(match[1]); if (details.initiator && !queried_url.startsWith(details.initiator)) { console.warn(`Haketilo: Blocked suspicious query of '${url}' by '${details.initiator}'. This might be the result of page fingerprinting the browser.`); return {cancel: true}; } const policy = decide_policy(tree, queried_url, default_allow, secret); if (!policy.error) { const encoded_policy = encodeURIComponent(JSON.stringify(policy)); return {redirectUrl: redirect_url_template + encoded_policy}; } } console.warn(`Haketilo: Bad request! Expected ${browser.runtime.getURL("dummy")}?url=. Got ${details.url}. This might be the result of page fingerprinting the browser.`); return {cancel: true}; } const all_types = [ "main_frame", "sub_frame", "stylesheet", "script", "image", "font", "object", "xmlhttprequest", "ping", "csp_report", "media", "websocket", "other", "main_frame", "sub_frame" ]; #ENDIF async function start(secret_) { secret = secret_; #IF CHROMIUM const extra_opts = ["blocking", "extraHeaders"]; #ELSE const extra_opts = ["blocking"]; #ENDIF browser.webRequest.onHeadersReceived.addListener( on_headers_received, {urls: [""], types: ["main_frame", "sub_frame"]}, extra_opts.concat("responseHeaders") ); #IF CHROMIUM && MV2 browser.webRequest.onBeforeRequest.addListener( on_before_request, {urls: [browser.runtime.getURL("dummy") + "*"], types: all_types}, extra_opts ); #ENDIF } #EXPORT start