Issue 1727 - Prevent circumvention via WebSocket

include.preload.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-2016 Eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with Adblock Plus.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 var MutationObserver = window.MutationObserver || window.WebKitMutationObserver;
 var SELECTOR_GROUP_SIZE = 200;
+var id = Math.random().toString(36).substr(2);
 
 var typeMap = {
   "img": "IMAGE",
   "input": "IMAGE",
   "picture": "IMAGE",
   "audio": "MEDIA",
   "video": "MEDIA",
   "frame": "SUBDOCUMENT",
   "iframe": "SUBDOCUMENT",
   "object": "OBJECT",
@@ skipping 312 matching lines @@
   var observer = new MutationObserver(function()
   {
     if (style.parentNode != parentNode)
       parentNode.appendChild(style);
   });
 
   observer.observe(parentNode, {childList: true});
   return observer;
 }
 
+function runInPage(fn, arg)
+{
+  var script = document.createElement("script");
+  script.type = "application/javascript";
+  script.async = false;
+
+  // include.youtube.js passes this function a RegExp which JSON.stringify would
+  // convert to "{}".
+  if (!(arg instanceof RegExp))
+    arg = JSON.stringify(arg);
+
+  script.textContent = "(" + fn + ")(" + arg + ");";
+  document.documentElement.appendChild(script);
+  document.documentElement.removeChild(script);
+}
+
 function protectStyleSheet(document, style)
 {
-  var id = Math.random().toString(36).substr(2)
   style.id = id;
 
-  var code = [
-    "(function()",
-    "{",
-    '  var style = document.getElementById("' + id + '") ||',
-    '              document.documentElement.shadowRoot.getElementById("' + id + '");',
-    '  style.removeAttribute("id");'
-  ];
+  runInPage(function(id)
+  {
+    var style = document.getElementById(id) ||
+                document.documentElement.shadowRoot.getElementById(id);
+    style.removeAttribute("id");
 
-  var disableables = ["style", "style.sheet"];
-  for (var i = 0; i < disableables.length; i++)
+    var disableables = [style, style.sheet];
+    for (var i = 0; i < disableables.length; i++)
+      Object.defineProperty(disableables[i], "disabled",
+                            {value: false, enumerable: true});
+
+    var boundCall = Function.prototype.call.bind(Function.prototype.call);

[Sebastian Noack, 2016/08/09 18:05:14]

I don't think that this is necessary here. We don't call "call" unless we allow
the call. So all one could do by patching Function.prototype.call is further
restricting the behavior here.

Perhaps they could also detect us that way, but they could as well just check
for CSSStyleSheet.prototype.deleteRule.toString(), that is what I actually
meant. But as just discussed on IRC, that paranoia about detection is slowly
becoming crazy. We still need to be able to maintain this code. And I fear
eventually, there will always be some way to detect us.

[kzar, 2016/08/09 18:50:14]

OK, I removed that again.

I agree that we should not worry about .toString here. Since this was already
the case before the WebSocket changes we're not regressing anything. If someone
does use `CSSStyleSheet.prototype.deleteRule.toString()` for detection at some
point in the future we can always worry about it then.

[Sebastian Noack, 2016/08/10 08:01:46]

Interesting, so why do you do a much more elaborate hack for
WebSocket.toString() then?

[kzar, 2016/08/10 08:07:33]

How is it much more elaborate than what would be required here to fix the string
values? (My logic is that CSSStyleSheet.prototype.removeRule already has the
wrong string value, so in this code review we're not making anything worse.)

[Sebastian Noack, 2016/08/10 08:44:18]

You are right, we'd need to patch Function.prototype.toString() the same way to
also make CSSStyleSheet.prototype.removeRule.toString() return it's original
value. I mistakenly assumed that simply calling bind() on our wrapper would do.

But still, what is the point of doing so for WebSocket, if people could just
detect us instead by checking for removeRule.toString()? And as you said, if
that becomes an issue, we can still address it later.

[kzar, 2016/08/10 10:19:44]

Fair enough. How about we just go with your .bind() idea for WebSocket? It's
simple and it mostly works.

+    ["deleteRule", "removeRule"].forEach(function(method)
+    {
+      var original = CSSStyleSheet.prototype[method];
+      CSSStyleSheet.prototype[method] = function(index)
+      {
+        if (this != style.sheet)
+          boundCall(original, this, index);
+      };
+    });
+  }, id);
+}
+
+// Neither Chrome[1] nor Safari allow us to intercept WebSockets, and therefore
+// some ad networks are misusing them as a way to serve adverts and circumvent
+// us. As a workaround we wrap WebSocket, preventing blocked WebSocket
+// connections from being opened.
+// [1] - https://bugs.chromium.org/p/chromium/issues/detail?id=129353
+function wrapWebSocket()
+{
+  if (typeof WebSocket == "undefined")
+    return;
+
+  var eventName = "abpws-" + id;
+
+  document.addEventListener(eventName, function(event)
   {
-    code.push("  Object.defineProperty(" + disableables[i] + ', "disabled", '
-                                         + "{value: false, enumerable: true});");
-  }
+    ext.backgroundPage.sendMessage({
+      type: "websocket-request",
+      url: event.detail.url
+    }, function (block)
+    {
+      document.dispatchEvent(
+        new CustomEvent(eventName + "-" + event.detail.url, {detail: block})
+      );
+    });
+  });
 
-  var methods = ["deleteRule", "removeRule"];
-  for (var j = 0; j < methods.length; j++)
+  runInPage(function(eventName)
   {
-    var method = methods[j];
-    if (method in CSSStyleSheet.prototype)
+    // As far as possible we must track everything we use that could be
+    // sabotaged by the website later in order to circumvent us.
+    var RealWebSocket = WebSocket;
+    var closeWebSocket = RealWebSocket.prototype.close;
+    var addEventListener = document.addEventListener.bind(document);
+    var removeEventListener = document.removeEventListener.bind(document);
+    var dispatchEvent = document.dispatchEvent.bind(document);
+    var CustomEvent = window.CustomEvent;
+    var boundCall = Function.prototype.call.bind(Function.prototype.call);
+    var functionToString = Function.prototype.toString;
+    // (Safari 9 considers WebSocket to be an object rather than a function.)
+    var webSocketString = RealWebSocket.toString();
+
+    function checkRequest(url, callback)
     {
-      var origin = "CSSStyleSheet.prototype." + method;
-      code.push("  var " + method + " = " + origin + ";",
-                "  " + origin + " = function(index)",
-                "  {",
-                "    if (this != style.sheet)",
-                "      " + method + ".call(this, index);",
-                "  }");
+      var incomingEventName = eventName + "-" + url;
+      function listener(event)
+      {
+        callback(event.detail);
+        removeEventListener(incomingEventName, listener);
+      }
+      addEventListener(incomingEventName, listener);
+
+      dispatchEvent(new CustomEvent(eventName, {
+        detail: {url: url}
+      }));
     }
-  }
 
-  code.push("})();");
+    function wrappedToString()
+    {
+      if (this === WebSocket)
+        return webSocketString;
+      if (this === wrappedToString)
+        return boundCall(functionToString, functionToString);
+      return boundCall(functionToString, this);
+    };
+    Function.prototype.toString = wrappedToString;
 
-  var script = document.createElement("script");
-  script.async = false;
-  script.textContent = code.join("\n");
-  document.documentElement.appendChild(script);
-  document.documentElement.removeChild(script);
+    WebSocket = function WrappedWebSocket(url, protocols)
+    {
+      // Throw correct exceptions if the constructor is used improperly.
+      if (!(this instanceof WrappedWebSocket)) return RealWebSocket();
+      if (arguments.length < 1) return new RealWebSocket();
+
+      var websocket = new RealWebSocket(url, protocols);
+
+      checkRequest(websocket.url, function(blocked)
+      {
+        if (blocked)
+          boundCall(closeWebSocket, websocket);
+      });
+
+      return websocket;
+    };
+
+    var properties = Object.getOwnPropertyNames(RealWebSocket);
+    for (var i = 0; i < properties.length; i++)
+    {
+      var name = properties[i];
+      var desc = Object.getOwnPropertyDescriptor(RealWebSocket, name);
+      Object.defineProperty(WebSocket, name, desc);
+    }
+
+    RealWebSocket.prototype.constructor = WebSocket;
+  }, eventName);
 }
 
 function init(document)
 {
   var shadow = null;
   var style = null;
   var observer = null;
   var tracer = null;
 
+  wrapWebSocket();
+
   function getPropertyFilters(callback)
   {
     ext.backgroundPage.sendMessage({
       type: "filters.get",
       what: "cssproperties"
     }, callback);
   }
   var propertyFilters = new CSSPropertyFilters(window, getPropertyFilters,
                                                addElemHideSelectors);
 
@@ skipping 150 matching lines @@
   }, true);
 
   return updateStylesheet;
 }
 
 if (document instanceof HTMLDocument)
 {
   checkSitekey();
   window.updateStylesheet = init(document);
 }