From ba330010e7eeeed244b61dbdf4dfaba351ee7133 Mon Sep 17 00:00:00 2001
From: Thomas Rientjes <synzvato@protonmail.com>
Date: Fri, 18 May 2018 00:14:39 +0200
Subject: [PATCH] Restrict XHR handling to one trusted domain

---
 .eslintrc           |  1 +
 core/constants.js   |  7 ++++++-
 core/interceptor.js | 21 ++++++++++++++++++++-
 core/main.js        |  1 +
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/.eslintrc b/.eslintrc
index a1b6ff0..de12eff 100644
--- a/.eslintrc
+++ b/.eslintrc
@@ -21,6 +21,7 @@
     "shorthands": true,
     "stateManager": true,
     "WebRequest": true,
+    "WebRequestType": true,
     "Whitelist": true,
     "wrappers": true
   },
diff --git a/core/constants.js b/core/constants.js
index f476a93..f4edd00 100644
--- a/core/constants.js
+++ b/core/constants.js
@@ -47,7 +47,8 @@ const Setting = {
     'SHOW_ICON_BADGE': 'showIconBadge',
     'SHOW_RELEASE_NOTES': 'showReleaseNotes',
     'STRIP_METADATA': 'stripMetadata',
-    'WHITELISTED_DOMAINS': 'whitelistedDomains'
+    'WHITELISTED_DOMAINS': 'whitelistedDomains',
+    'XHR_TEST_DOMAIN': 'xhrTestDomain'
 };
 
 const WebRequest = {
@@ -56,6 +57,10 @@ const WebRequest = {
     'HEADERS': 'requestHeaders'
 };
 
+const WebRequestType = {
+    'XHR': 'xmlhttprequest'
+};
+
 const Whitelist = {
     'TRIM_EXPRESSION': /^;+|;+$/g,
     'VALUE_SEPARATOR': ';'
diff --git a/core/interceptor.js b/core/interceptor.js
index 1e57da6..561a101 100644
--- a/core/interceptor.js
+++ b/core/interceptor.js
@@ -42,6 +42,13 @@ interceptor.handleRequest = function (requestDetails, tabIdentifier, tab) {
         tabDomain = Address.EXAMPLE;
     }
 
+    if (requestDetails.type === WebRequestType.XHR) {
+
+        if (tabDomain !== interceptor.xhrTestDomain) {
+            return interceptor._handleMissingCandidate(requestDetails.url);
+        }
+    }
+
     // Temporary list of undetectable tainted domains.
     let undetectableTaintedDomains = {
         '10fastfingers.com': true,
@@ -125,6 +132,10 @@ interceptor._handleMissingCandidate = function (requestUrl) {
 
 interceptor._handleStorageChanged = function (changes) {
 
+    if (Setting.XHR_TEST_DOMAIN in changes) {
+        interceptor.xhrTestDomain = changes.xhrTestDomain.newValue;
+    }
+
     if (Setting.BLOCK_MISSING in changes) {
         interceptor.blockMissing = changes.blockMissing.newValue;
     }
@@ -137,9 +148,17 @@ interceptor._handleStorageChanged = function (changes) {
 interceptor.amountInjected = 0;
 interceptor.blockMissing = false;
 
-chrome.storage.local.get([Setting.AMOUNT_INJECTED, Setting.BLOCK_MISSING], function (items) {
+interceptor.relatedSettings = [
+
+    Setting.AMOUNT_INJECTED,
+    Setting.XHR_TEST_DOMAIN,
+    Setting.BLOCK_MISSING
+];
+
+chrome.storage.local.get(interceptor.relatedSettings, function (items) {
 
     interceptor.amountInjected = items.amountInjected || 0;
+    interceptor.xhrTestDomain = items.xhrTestDomain || 'decentraleyes.org';
     interceptor.blockMissing = items.blockMissing || false;
 });
 
diff --git a/core/main.js b/core/main.js
index 6c5557c..30454ba 100644
--- a/core/main.js
+++ b/core/main.js
@@ -26,6 +26,7 @@ var main = {};
 main._initializeOptions = function () {
 
     let optionDefaults = {
+        [Setting.XHR_TEST_DOMAIN]: 'decentraleyes.org',
         [Setting.SHOW_ICON_BADGE]: true,
         [Setting.BLOCK_MISSING]: false,
         [Setting.DISABLE_PREFETCH]: true,
-- 
GitLab