Restrict XHR handling to one trusted domain

ba330010 · Thomas Rientjes · 06017793 · ba330010 · ba330010 · ba330010
Verified Commit ba330010 authored 6 years ago by Thomas Rientjes
--- a/.eslintrc
+++ b/.eslintrc
@@ -21,6 +21,7 @@
    "shorthands": true,
    "stateManager": true,
    "WebRequest": true,
+    "WebRequestType": true,
    "Whitelist": true,
    "wrappers": true
  },

--- a/core/constants.js
+++ b/core/constants.js
@@ -47,7 +47,8 @@ const Setting = {
    'SHOW_ICON_BADGE': 'showIconBadge',
    'SHOW_RELEASE_NOTES': 'showReleaseNotes',
    'STRIP_METADATA': 'stripMetadata',
-    'WHITELISTED_DOMAINS': 'whitelistedDomains'
+    'WHITELISTED_DOMAINS': 'whitelistedDomains',
+    'XHR_TEST_DOMAIN': 'xhrTestDomain'
 };
 const WebRequest = {
@@ -56,6 +57,10 @@ const WebRequest = {
    'HEADERS': 'requestHeaders'
 };
+const WebRequestType = {
+    'XHR': 'xmlhttprequest'
+};
 const Whitelist = {
    'TRIM_EXPRESSION': /^;+|;+$/g,
    'VALUE_SEPARATOR': ';'

--- a/core/interceptor.js
+++ b/core/interceptor.js
@@ -42,6 +42,13 @@ interceptor.handleRequest = function (requestDetails, tabIdentifier, tab) {
        tabDomain = Address.EXAMPLE;
    }
+    if (requestDetails.type === WebRequestType.XHR) {
+        if (tabDomain !== interceptor.xhrTestDomain) {
+            return interceptor._handleMissingCandidate(requestDetails.url);
+        }
+    }
    // Temporary list of undetectable tainted domains.
    let undetectableTaintedDomains = {
        '10fastfingers.com': true,
@@ -125,6 +132,10 @@ interceptor._handleMissingCandidate = function (requestUrl) {
 interceptor._handleStorageChanged = function (changes) {
+    if (Setting.XHR_TEST_DOMAIN in changes) {
+        interceptor.xhrTestDomain = changes.xhrTestDomain.newValue;
+    }
    if (Setting.BLOCK_MISSING in changes) {
        interceptor.blockMissing = changes.blockMissing.newValue;
    }
@@ -137,9 +148,17 @@ interceptor._handleStorageChanged = function (changes) {
 interceptor.amountInjected = 0;
 interceptor.blockMissing = false;
-chrome.storage.local.get([Setting.AMOUNT_INJECTED, Setting.BLOCK_MISSING], function (items) {
+interceptor.relatedSettings = [
+    Setting.AMOUNT_INJECTED,
+    Setting.XHR_TEST_DOMAIN,
+    Setting.BLOCK_MISSING
+];
+chrome.storage.local.get(interceptor.relatedSettings, function (items) {
    interceptor.amountInjected = items.amountInjected || 0;
+    interceptor.xhrTestDomain = items.xhrTestDomain || 'decentraleyes.org';
    interceptor.blockMissing = items.blockMissing || false;
 });

--- a/core/main.js
+++ b/core/main.js
@@ -26,6 +26,7 @@ var main = {};
 main._initializeOptions = function () {
    let optionDefaults = {
+        [Setting.XHR_TEST_DOMAIN]: 'decentraleyes.org',
        [Setting.SHOW_ICON_BADGE]: true,
        [Setting.BLOCK_MISSING]: false,
        [Setting.DISABLE_PREFETCH]: true,