Issue 1530 - Improve detecting of subrequest issued by flash addon

src/plugin/PluginWbPassThrough.cpp

Index: src/plugin/PluginWbPassThrough.cpp
===================================================================
--- a/src/plugin/PluginWbPassThrough.cpp
+++ b/src/plugin/PluginWbPassThrough.cpp
@@ -13,7 +13,7 @@
 
 namespace
 {
-  std::string g_blockedByABPPage = "<!DOCTYPE html>"
+  const std::string g_blockedByABPPage = "<!DOCTYPE html>"

[Oleksandr, 2014/11/13 04:44:42]

Unrelated change

[sergei, 2014/11/13 08:49:32]

removed from here

     "<html>"
         "<body>"
           "<!-- blocked by AdblockPlus -->"
@@ -21,20 +21,21 @@
     "</html>";
 
   template <class T>
-  T ExtractHttpHeader(const T& allHeaders, const T& targetHeaderNameWithColon, const T& delimiter)
+  std::pair<T, bool> ExtractHttpHeader(const T& allHeaders, const T& targetHeaderNameWithColon, const T& delimiter)

[Oleksandr, 2014/11/13 04:44:42]

Unrelated change. Also, I think was good enough as it was. What was wrong with
just a check if the returned value is empty? From the looks of it, only Accept
header can be empty, and even when it is we don't really care (you rightfully
didn't change the Accept header handling to be like X-Requested-With).

[sergei, 2014/11/13 08:49:32]

Right, it's not necessary. Reverted.

   {
+    std::pair<T, bool> notFoundHeader;
     auto targetHeaderBeginsAt = allHeaders.find(targetHeaderNameWithColon);
     if (targetHeaderBeginsAt == T::npos)
     {
-      return T();
+      return notFoundHeader;
     }
     targetHeaderBeginsAt += targetHeaderNameWithColon.length();
     auto targetHeaderEndsAt = allHeaders.find(delimiter, targetHeaderBeginsAt);
     if (targetHeaderEndsAt == T::npos)
     {
-      return T();
+      return notFoundHeader;
     }
-    return allHeaders.substr(targetHeaderBeginsAt, targetHeaderEndsAt - targetHeaderBeginsAt);
+    return std::make_pair(allHeaders.substr(targetHeaderBeginsAt, targetHeaderEndsAt - targetHeaderBeginsAt), true);
   }
 
   std::string ExtractHttpAcceptHeader(IInternetProtocol* internetProtocol)
@@ -61,7 +62,14 @@
     {
       return "";
     }
-    return ExtractHttpHeader<std::string>(buf, "Accept:", "\r\n");
+    auto acceptHeader = ExtractHttpHeader<std::string>(buf, "Accept:", "\r\n");
+    return acceptHeader.first;
+  }
+
+  bool IsXmlHttpRequest(const std::wstring& additionalHeaders)
+  {
+    auto requestedWithHeader = ExtractHttpHeader<std::wstring>(additionalHeaders, L"X-Requested-With: ", L"\n");

[Oleksandr, 2014/11/13 04:44:42]

X-Requested-With is only part of the story, I think. How about also detecting
CORS requests. By detecting "Origin" header, for example. Also, this deserves to
be separated into it's own issue, IMHO.

+    return requestedWithHeader.second && TrimString(requestedWithHeader.first) == L"XMLHttpRequest";
   }
 }
 
@@ -243,8 +251,16 @@
 // returns quite minimal configuration in comparison with the implementation from Microsofts'
 // libraries (see grfBINDF and bindInfo.dwOptions). The impl from MS often includes something
 // else.
-bool WBPassthruSink::IsFlashRequest()
+bool WBPassthruSink::IsFlashRequest(const wchar_t* const* additionalHeaders)
 {
+  if (additionalHeaders && *additionalHeaders)
+  {
+    auto flashVersionHeader = ExtractHttpHeader<std::wstring>(*additionalHeaders, L"x-flash-version: ", L"\n");
+    if (flashVersionHeader.second)
+    {
+      return true;
+    }
+  }
   ATL::CComPtr<IBindStatusCallback> bscb;
   if (SUCCEEDED(QueryServiceFromClient(&bscb)) && !!bscb)
   {
@@ -264,6 +280,10 @@
 
 STDMETHODIMP WBPassthruSink::BeginningTransaction(LPCWSTR szURL, LPCWSTR szHeaders, DWORD dwReserved, LPWSTR* pszAdditionalHeaders)
 {
+  if (!szURL || !szHeaders)
+  {
+    return E_POINTER;
+  }

[Oleksandr, 2014/11/13 04:44:42]

Unrelated change.

[sergei, 2014/11/13 08:49:32]

Removed from here.

   std::wstring src = szURL;
   DEBUG_GENERAL(ToCString(src));
 
@@ -281,9 +301,9 @@
   // There doesn't seem to be any other way to get this header before the request has been made.
   HRESULT nativeHr = httpNegotiate ? httpNegotiate->BeginningTransaction(szURL, szHeaders, dwReserved, pszAdditionalHeaders) : S_OK;
 
-  if (*pszAdditionalHeaders != 0)
+  if (pszAdditionalHeaders && *pszAdditionalHeaders)
   {
-    m_boundDomain = ExtractHttpHeader<std::wstring>(*pszAdditionalHeaders, L"Referer:", L"\n").c_str();
+    m_boundDomain = ExtractHttpHeader<std::wstring>(*pszAdditionalHeaders, L"Referer:", L"\n").first;
   }
   m_boundDomain = TrimString(m_boundDomain);
   CPluginTab* tab = CPluginClass::GetTab(::GetCurrentThreadId());
@@ -306,9 +326,14 @@
     }
   }
 
-  if (IsFlashRequest())
+  if (IsFlashRequest(pszAdditionalHeaders))
   {
-    m_contentType = CFilter::EContentType::contentTypeObjectSubrequest; 
+    m_contentType = CFilter::EContentType::contentTypeObjectSubrequest;
+  }
+
+  if (pszAdditionalHeaders && IsXmlHttpRequest(*pszAdditionalHeaders))
+  {
+    m_contentType = CFilter::EContentType::contentTypeXmlHttpRequest;
   }
 
   m_blockedInTransaction = client->ShouldBlock(szURL, m_contentType, m_boundDomain, /*debug flag but must be set*/true);