Issue 1727 - Prevent circumvention via WebSocket

include.preload.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-2016 Eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with Adblock Plus.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 var MutationObserver = window.MutationObserver || window.WebKitMutationObserver;
 var SELECTOR_GROUP_SIZE = 200;
+var id = Math.random().toString(36).substr(2);
 
 var typeMap = {
   "img": "IMAGE",
   "input": "IMAGE",
   "picture": "IMAGE",
   "audio": "MEDIA",
   "video": "MEDIA",
   "frame": "SUBDOCUMENT",
   "iframe": "SUBDOCUMENT",
   "object": "OBJECT",
@@ skipping 312 matching lines @@
   var observer = new MutationObserver(function()
   {
     if (style.parentNode != parentNode)
       parentNode.appendChild(style);
   });
 
   observer.observe(parentNode, {childList: true});
   return observer;
 }
 
+function injectJS(f)
+{
+  var args = JSON.stringify(Array.prototype.slice.call(arguments, 1));
+  args = args.substring(1, args.length - 1);
+  var codeString = "(" + f.toString() + ")(" + args + ");";
+
+  var script = document.createElement("script");
+  script.async = false;
+  script.textContent = codeString;
+  document.documentElement.appendChild(script);
+  document.documentElement.removeChild(script);
+}
+
 function protectStyleSheet(document, style)
 {
-  var id = Math.random().toString(36).substr(2)
   style.id = id;
 
-  var code = [
-    "(function()",
-    "{",
-    '  var style = document.getElementById("' + id + '") ||',
-    '              document.documentElement.shadowRoot.getElementById("' + id + '");',
-    '  style.removeAttribute("id");'
-  ];
+  var protector = function(id)
+  {
+    var style = document.getElementById(id) ||
+                document.documentElement.shadowRoot.getElementById(id);
+    style.removeAttribute("id");
 
-  var disableables = ["style", "style.sheet"];
-  for (var i = 0; i < disableables.length; i++)
+    var i;
+    var disableables = [style, style.sheet];
+    for (i = 0; i < disableables.length; i += 1)

[Sebastian Noack, 2016/08/08 16:42:54]

Nit: This is JS. How about i++?

[kzar, 2016/08/08 18:19:06]

Done.

+      Object.defineProperty(disableables[i], "disabled",
+                            {value: false, enumerable: true});
+
+    var methods = ["deleteRule", "removeRule"];
+    for (i = 0; i < methods.length; i += 1)
+    {
+      if (methods[i] in CSSStyleSheet.prototype)
+      {
+        (function(method)

[Sebastian Noack, 2016/08/08 16:42:54]

Instead this wrapper function, why not simply using methods.forEach() in the
first place?

[kzar, 2016/08/08 18:19:06]

Done.

+        {
+          var original = CSSStyleSheet.prototype[method];
+          CSSStyleSheet.prototype[method] = function(index)
+          {
+            if (this != style.sheet)
+              original.call(this, index);
+          };
+        }(methods[i]));
+      }
+    }
+  };
+
+  injectJS(protector, id);
+}
+
+// Neither Chrome[1] nor Safari allow us to intercept WebSockets, and therefore
+// some ad networks are misusing them as a way to serve adverts and circumvent
+// us. As a workaround we wrap WebSocket, preventing blocked WebSocket
+// connections from being opened.
+// [1] - https://bugs.chromium.org/p/chromium/issues/detail?id=129353
+function wrapWebSocket()
+{
+  if (typeof WebSocket == "undefined")
+    return;
+
+  var eventName = "abpws-" + id;
+
+  document.addEventListener(eventName, function(event)
   {
-    code.push("  Object.defineProperty(" + disableables[i] + ', "disabled", '
-                                         + "{value: false, enumerable: true});");
+    ext.backgroundPage.sendMessage({
+      type: "websocket-request",
+      url: event.detail.url
+    }, function (block)
+    {
+      document.dispatchEvent(
+        new CustomEvent(eventName + "-" + event.detail.url, {detail: block})
+      );
+    });
+  });
+
+  function wrapper(eventName)
+  {
+    // As far as possible we must track everything we use that could be
+    // sabotaged by the website later in order to circumvent us.
+    var RealWebSocket = WebSocket;
+    var closeWebSocket = RealWebSocket.prototype.close;
+    var document = window.document;
+    var addEventListener = document.addEventListener;
+    var removeEventListener = document.removeEventListener;
+    var dispatchEvent = document.dispatchEvent;
+    var CustomEvent = window.CustomEvent;
+    var boundCall = Function.prototype.call.bind(Function.prototype.call);
+    // (These two functions are usually the same, but since Safari 9 considers
+    //  WebSocket to be an object rather than a function we must track both.)
+    var toString = Function.prototype.toString;
+    var wsToString = RealWebSocket.toString;
+
+    function checkRequest(url, protocols, callback)
+    {
+      var incomingEventName = eventName + "-" + url;
+      function listener(event)
+      {
+        callback(event.detail);
+        boundCall(removeEventListener, document, incomingEventName, listener);
+      }
+      boundCall(addEventListener, document, incomingEventName, listener);
+
+      boundCall(dispatchEvent, document, new CustomEvent(eventName, {
+        detail: {url: url, protocols: protocols}
+      }));
+    }
+
+    function wrappedToString()
+    {
+      if (this === WebSocket)
+        return boundCall(wsToString, RealWebSocket);
+      if (this === wrappedToString)
+        return boundCall(toString, toString);
+      return boundCall(toString, this);
+    };
+    Function.prototype.toString = wrappedToString;
+
+    WebSocket = function(url, protocols)
+    {
+      var websocket = new RealWebSocket(url, protocols);
+
+      checkRequest(url, protocols, function(blocked)
+      {
+        if (blocked)
+          boundCall(closeWebSocket, websocket);
+      });
+
+      return websocket;
+    };
+    Object.defineProperties(WebSocket, {

[Sebastian Noack, 2016/08/08 16:42:55]

I wonder whether we should dynamically generate those properties rather than
hard-coding them and their values:

var properties = Object.getOwnPropertyNames(RealWebSocket);
for (var i = 0; i < properties.length; i++)
{
  var name = properties[i];
  var desc = Object.getOwnPropertyDescriptor(RealWebSocket, name);
  Object.defineProperty(WebSocket, name, desc);
}

Note that this copies the prototype property as well, which BTW is read-only on
the original WebSocket function but not on your fake WebSocket at the moment.

[kzar, 2016/08/08 18:19:06]

Done.

+      CONNECTING: {value: 0, enumerable: true},
+      OPEN: {value: 1, enumerable: true},
+      CLOSING: {value: 2, enumerable: true},
+      CLOSED: {value: 3, enumerable: true}
+    });
+    WebSocket.prototype = RealWebSocket.prototype;
+    RealWebSocket.prototype.constructor = WebSocket;
   }
 
-  var methods = ["deleteRule", "removeRule"];
-  for (var j = 0; j < methods.length; j++)
-  {
-    var method = methods[j];
-    if (method in CSSStyleSheet.prototype)
-    {
-      var origin = "CSSStyleSheet.prototype." + method;
-      code.push("  var " + method + " = " + origin + ";",
-                "  " + origin + " = function(index)",
-                "  {",
-                "    if (this != style.sheet)",
-                "      " + method + ".call(this, index);",
-                "  }");
-    }
-  }
-
-  code.push("})();");
-
-  var script = document.createElement("script");
-  script.async = false;
-  script.textContent = code.join("\n");
-  document.documentElement.appendChild(script);
-  document.documentElement.removeChild(script);
+  injectJS(wrapper, eventName);
 }
 
 function init(document)
 {
   var shadow = null;
   var style = null;
   var observer = null;
   var tracer = null;
 
+  wrapWebSocket();
+
   function getPropertyFilters(callback)
   {
     ext.backgroundPage.sendMessage({
       type: "filters.get",
       what: "cssproperties"
     }, callback);
   }
   var propertyFilters = new CSSPropertyFilters(window, getPropertyFilters,
                                                addElemHideSelectors);
 
@@ skipping 150 matching lines @@
   }, true);
 
   return updateStylesheet;
 }
 
 if (document instanceof HTMLDocument)
 {
   checkSitekey();
   window.updateStylesheet = init(document);
 }