Microsoft has acquired GitHub. Decentraleyes has left GitHub. Welcome to its new home!

To participate, please register, or sign in with an existing GitLab.com, Bitbucket, or GitHub account.

Past contributions on GitHub? Be sure to reclaim your Comments, Issues, and Pull Requests.

Restrict XHR handling to one trusted domain

parent 06017793
......@@ -21,6 +21,7 @@
"shorthands": true,
"stateManager": true,
"WebRequest": true,
"WebRequestType": true,
"Whitelist": true,
"wrappers": true
},
......
......@@ -47,7 +47,8 @@ const Setting = {
'SHOW_ICON_BADGE': 'showIconBadge',
'SHOW_RELEASE_NOTES': 'showReleaseNotes',
'STRIP_METADATA': 'stripMetadata',
'WHITELISTED_DOMAINS': 'whitelistedDomains'
'WHITELISTED_DOMAINS': 'whitelistedDomains',
'XHR_TEST_DOMAIN': 'xhrTestDomain'
};
const WebRequest = {
......@@ -56,6 +57,10 @@ const WebRequest = {
'HEADERS': 'requestHeaders'
};
const WebRequestType = {
'XHR': 'xmlhttprequest'
};
const Whitelist = {
'TRIM_EXPRESSION': /^;+|;+$/g,
'VALUE_SEPARATOR': ';'
......
......@@ -42,6 +42,13 @@ interceptor.handleRequest = function (requestDetails, tabIdentifier, tab) {
tabDomain = Address.EXAMPLE;
}
if (requestDetails.type === WebRequestType.XHR) {
if (tabDomain !== interceptor.xhrTestDomain) {
return interceptor._handleMissingCandidate(requestDetails.url);
}
}
// Temporary list of undetectable tainted domains.
let undetectableTaintedDomains = {
'10fastfingers.com': true,
......@@ -125,6 +132,10 @@ interceptor._handleMissingCandidate = function (requestUrl) {
interceptor._handleStorageChanged = function (changes) {
if (Setting.XHR_TEST_DOMAIN in changes) {
interceptor.xhrTestDomain = changes.xhrTestDomain.newValue;
}
if (Setting.BLOCK_MISSING in changes) {
interceptor.blockMissing = changes.blockMissing.newValue;
}
......@@ -137,9 +148,17 @@ interceptor._handleStorageChanged = function (changes) {
interceptor.amountInjected = 0;
interceptor.blockMissing = false;
chrome.storage.local.get([Setting.AMOUNT_INJECTED, Setting.BLOCK_MISSING], function (items) {
interceptor.relatedSettings = [
Setting.AMOUNT_INJECTED,
Setting.XHR_TEST_DOMAIN,
Setting.BLOCK_MISSING
];
chrome.storage.local.get(interceptor.relatedSettings, function (items) {
interceptor.amountInjected = items.amountInjected || 0;
interceptor.xhrTestDomain = items.xhrTestDomain || 'decentraleyes.org';
interceptor.blockMissing = items.blockMissing || false;
});
......
......@@ -26,6 +26,7 @@ var main = {};
main._initializeOptions = function () {
let optionDefaults = {
[Setting.XHR_TEST_DOMAIN]: 'decentraleyes.org',
[Setting.SHOW_ICON_BADGE]: true,
[Setting.BLOCK_MISSING]: false,
[Setting.DISABLE_PREFETCH]: true,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment