1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
# SPDX-License-Identifier: CC0-1.0
"""
Haketilo unit tests - exposing some special functionalities to injected scripts
"""
# This file is part of Haketilo
#
# Copyright (C) 2022 Wojtek Kosior <koszko@koszko.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the CC0 1.0 Universal License as published by
# the Creative Commons Corporation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# CC0 1.0 Universal License for more details.
import pytest
import json
from selenium.webdriver.support.ui import WebDriverWait
from ..script_loader import load_script
from ..world_wide_library import some_data
def content_script():
return load_script('content/haketilo_apis.js') + ';\nstart();'
def background_script():
return load_script('background/CORS_bypass_server.js') + ';\nstart();'
resource_url = 'https://anotherdoma.in/resource/blocked/by/CORS.json'
@pytest.mark.ext_data({
'content_script': content_script,
'background_script': background_script
})
@pytest.mark.usefixtures('webextension')
def test_haketilo_apis_CORS_bypass(driver):
"""
Verify injected scripts will be able to bypass CORS with the help of
Haketilo API.
"""
driver.get('https://gotmyowndoma.in/')
# First, verify that it is impossible to normally fetch the resource.
with pytest.raises(Exception, match='NetworkError'):
driver.execute_script('return fetch(arguments[0]);', resource_url)
# First, verify that it is possible to fetch the resource using API.
response = driver.execute_script(
'''
const fetch_arg = {
url: arguments[0],
init: {},
verify_that_nonstandard_properties_are_ignored: ":)"
};
const detail = {
data: JSON.stringify(fetch_arg),
id: "abcdef",
nonstandard_properties_verify_that_ignored_are: ":o"
};
let cb, done = new Promise(_cb => cb = _cb);
window.addEventListener("haketilo_CORS_bypass-abcdef",
e => cb(JSON.parse(e.detail)));
window.dispatchEvent(new CustomEvent("haketilo_CORS_bypass", {detail}));
return done;
''',
resource_url)
assert response['body'] == some_data.encode().hex()
assert response['status'] == 200
assert type(response['headers']) is list
@pytest.mark.ext_data({
'content_script': content_script,
'background_script': background_script
})
@pytest.mark.usefixtures('webextension')
@pytest.mark.parametrize('error', [
'bad url',
'no_url',
'non_string_url',
'non_object_init',
'non_object_detail',
'non_string_id',
'non_string_data'
])
def test_haketilo_apis_CORS_bypass_errors(driver, error):
"""
Verify errors are returned properly by CORS_bypass API.
"""
data = {
'bad_url': {'url': 'muahahahaha', 'init': {}},
'no_url': {'init': {}},
'non_string_url': {'url': {}, 'init': {}},
'non_object_init': {'url': {}, 'init': ":d"},
}.get(error, {'url': resource_url, 'init': {}})
detail = {
'non_object_detail': '!!!',
'non_string_id': {'data': json.dumps(data), 'id': None},
'non_string_data': {'data': data, 'id': 'abcdef'}
}.get(error, {'data': json.dumps(data), 'id': 'abcdef'})
driver.get('https://gotmyowndoma.in/')
result = driver.execute_script(
'''
let cb, done = new Promise(_cb => cb = _cb);
window.addEventListener("haketilo_CORS_bypass-abcdef",
e => cb(JSON.parse(e.detail)));
window.dispatchEvent(new CustomEvent("haketilo_CORS_bypass",
{detail: arguments[0]}));
setTimeout(() => cb("timeout"), 5000);
return done;
''',
detail)
if error in {'bad_url', 'no_url', 'non_string_url', 'non_object_init'}:
assert result['error']['name'] == 'TypeError'
if error in {'non_object_detail', 'non_string_id', 'non_string_data'}:
assert result == 'timeout'
|