Verified Commit ba330010 authored by Thomas Rientjes's avatar Thomas Rientjes
Browse files

Restrict XHR handling to one trusted domain

parent 06017793
...@@ -21,6 +21,7 @@ ...@@ -21,6 +21,7 @@
"shorthands": true, "shorthands": true,
"stateManager": true, "stateManager": true,
"WebRequest": true, "WebRequest": true,
"WebRequestType": true,
"Whitelist": true, "Whitelist": true,
"wrappers": true "wrappers": true
}, },
......
...@@ -47,7 +47,8 @@ const Setting = { ...@@ -47,7 +47,8 @@ const Setting = {
'SHOW_ICON_BADGE': 'showIconBadge', 'SHOW_ICON_BADGE': 'showIconBadge',
'SHOW_RELEASE_NOTES': 'showReleaseNotes', 'SHOW_RELEASE_NOTES': 'showReleaseNotes',
'STRIP_METADATA': 'stripMetadata', 'STRIP_METADATA': 'stripMetadata',
'WHITELISTED_DOMAINS': 'whitelistedDomains' 'WHITELISTED_DOMAINS': 'whitelistedDomains',
'XHR_TEST_DOMAIN': 'xhrTestDomain'
}; };
const WebRequest = { const WebRequest = {
...@@ -56,6 +57,10 @@ const WebRequest = { ...@@ -56,6 +57,10 @@ const WebRequest = {
'HEADERS': 'requestHeaders' 'HEADERS': 'requestHeaders'
}; };
const WebRequestType = {
'XHR': 'xmlhttprequest'
};
const Whitelist = { const Whitelist = {
'TRIM_EXPRESSION': /^;+|;+$/g, 'TRIM_EXPRESSION': /^;+|;+$/g,
'VALUE_SEPARATOR': ';' 'VALUE_SEPARATOR': ';'
......
...@@ -42,6 +42,13 @@ interceptor.handleRequest = function (requestDetails, tabIdentifier, tab) { ...@@ -42,6 +42,13 @@ interceptor.handleRequest = function (requestDetails, tabIdentifier, tab) {
tabDomain = Address.EXAMPLE; tabDomain = Address.EXAMPLE;
} }
if (requestDetails.type === WebRequestType.XHR) {
if (tabDomain !== interceptor.xhrTestDomain) {
return interceptor._handleMissingCandidate(requestDetails.url);
}
}
// Temporary list of undetectable tainted domains. // Temporary list of undetectable tainted domains.
let undetectableTaintedDomains = { let undetectableTaintedDomains = {
'10fastfingers.com': true, '10fastfingers.com': true,
...@@ -125,6 +132,10 @@ interceptor._handleMissingCandidate = function (requestUrl) { ...@@ -125,6 +132,10 @@ interceptor._handleMissingCandidate = function (requestUrl) {
interceptor._handleStorageChanged = function (changes) { interceptor._handleStorageChanged = function (changes) {
if (Setting.XHR_TEST_DOMAIN in changes) {
interceptor.xhrTestDomain = changes.xhrTestDomain.newValue;
}
if (Setting.BLOCK_MISSING in changes) { if (Setting.BLOCK_MISSING in changes) {
interceptor.blockMissing = changes.blockMissing.newValue; interceptor.blockMissing = changes.blockMissing.newValue;
} }
...@@ -137,9 +148,17 @@ interceptor._handleStorageChanged = function (changes) { ...@@ -137,9 +148,17 @@ interceptor._handleStorageChanged = function (changes) {
interceptor.amountInjected = 0; interceptor.amountInjected = 0;
interceptor.blockMissing = false; interceptor.blockMissing = false;
chrome.storage.local.get([Setting.AMOUNT_INJECTED, Setting.BLOCK_MISSING], function (items) { interceptor.relatedSettings = [
Setting.AMOUNT_INJECTED,
Setting.XHR_TEST_DOMAIN,
Setting.BLOCK_MISSING
];
chrome.storage.local.get(interceptor.relatedSettings, function (items) {
interceptor.amountInjected = items.amountInjected || 0; interceptor.amountInjected = items.amountInjected || 0;
interceptor.xhrTestDomain = items.xhrTestDomain || 'decentraleyes.org';
interceptor.blockMissing = items.blockMissing || false; interceptor.blockMissing = items.blockMissing || false;
}); });
......
...@@ -26,6 +26,7 @@ var main = {}; ...@@ -26,6 +26,7 @@ var main = {};
main._initializeOptions = function () { main._initializeOptions = function () {
let optionDefaults = { let optionDefaults = {
[Setting.XHR_TEST_DOMAIN]: 'decentraleyes.org',
[Setting.SHOW_ICON_BADGE]: true, [Setting.SHOW_ICON_BADGE]: true,
[Setting.BLOCK_MISSING]: false, [Setting.BLOCK_MISSING]: false,
[Setting.DISABLE_PREFETCH]: true, [Setting.DISABLE_PREFETCH]: true,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment