Issue 1727 - Prevent circumvention via WebSocket

include.preload.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-2016 Eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ skipping 332 matching lines @@
   var observer = new MutationObserver(function()
   {
     if (style.parentNode != parentNode)
       parentNode.appendChild(style);
   });
 
   observer.observe(parentNode, {childList: true});
   return observer;
 }
 
-function injectJS(f)
-{
-  var args = JSON.stringify(Array.prototype.slice.call(arguments, 1));
-  args = args.substring(1, args.length - 1);
-  var codeString = "(" + f.toString() + ")(" + args + ");";
-
+function runInPage(fn, arg)
+{
   var script = document.createElement("script");
+  script.type = "application/javascript";
   script.async = false;
-  script.textContent = codeString;
+  script.textContent = "(" + fn + ")(" + JSON.stringify(arg) + ");";
   document.documentElement.appendChild(script);
   document.documentElement.removeChild(script);
 }
 
 function protectStyleSheet(document, style)
 {
   style.id = id;
 
-  var protector = function(id)
+  runInPage(function(id)
   {
     var style = document.getElementById(id) ||
                 document.documentElement.shadowRoot.getElementById(id);
     style.removeAttribute("id");
 
-    var i;
     var disableables = [style, style.sheet];
-    for (i = 0; i < disableables.length; i += 1)
+    for (var i = 0; i < disableables.length; i++)
       Object.defineProperty(disableables[i], "disabled",
                             {value: false, enumerable: true});
 
-    var methods = ["deleteRule", "removeRule"];
-    for (i = 0; i < methods.length; i += 1)
-    {
-      if (methods[i] in CSSStyleSheet.prototype)
-      {
-        (function(method)
-        {
-          var original = CSSStyleSheet.prototype[method];
-          CSSStyleSheet.prototype[method] = function(index)
-          {
-            if (this != style.sheet)
-              original.call(this, index);
-          };
-        }(methods[i]));
-      }
-    }
-  };
-
-  injectJS(protector, id);
+    ["deleteRule", "removeRule"].forEach(function(method)
+    {
+      var original = CSSStyleSheet.prototype[method];
+      CSSStyleSheet.prototype[method] = function(index)
+      {
+        if (this != style.sheet)
+          original.call(this, index);
+      };
+    });
+  }, id);
 }
 
 // Neither Chrome[1] nor Safari allow us to intercept WebSockets, and therefore
 // some ad networks are misusing them as a way to serve adverts and circumvent
-// us. As a workaround we wrap WebSocket, closing connections that would have
-// otherwise been blocked.
+// us. As a workaround we wrap WebSocket, preventing blocked WebSocket
+// connections from being opened.
 // [1] - https://bugs.chromium.org/p/chromium/issues/detail?id=129353
 function wrapWebSocket()
 {
-  if (typeof WebSocket == "undefined" || typeof WeakMap == "undefined")
+  if (typeof WebSocket == "undefined")
     return;
 
   var eventName = "abpws-" + id;
 
   document.addEventListener(eventName, function(event)
   {
     ext.backgroundPage.sendMessage({
       type: "websocket-request",
       url: event.detail.url
     }, function (block)
     {
       document.dispatchEvent(
         new CustomEvent(eventName + "-" + event.detail.url, {detail: block})
       );
     });
   });
 
-  function wrapper(eventName)
-  {
+  runInPage(function(eventName)
+  {
+    // As far as possible we must track everything we use that could be
+    // sabotaged by the website later in order to circumvent us.
     var RealWebSocket = WebSocket;
-
-    // To avoid detection we make our WebSocket wrapper as similar as possible.
-    // Most WebSocket properties and methods actually belong to
-    // WebSocket.prototype, but they require access to the instance state. To
-    // acheive this without adding extra properties we need to manage our own
-    // storage here. To avoid leaking memory in the case that all other
-    // references to a WebSocket have been deleted we must use a WeakMap.
-    var instanceStorage = new WeakMap();
-
-    // We can't create a WebSocket until we know it shouldn't be blocked, but we
-    // can only check this asynchronously. We queue up any actions that are
-    // performed on a WebSocket wrapper instance before its real WebSocket
-    // exists. If not blocked we perform queued actions on the WebSocket after
-    // it has been created.
-    function processQueue(queue, websocket)
-    {
-      for (var i = 0; i < queue.length; i += 1)
-      {
-        var action = queue[i][0];
-        var key = queue[i][1];
-        var value = queue[i][2];
-        switch (action)
-        {
-          case "set":
-            websocket[key] = value;
-            break;
-          case "call":
-            websocket[key].apply(websocket, value);
-            break;
-        }
-      }
-    }
-
-    var defaults = {
-      readyState: RealWebSocket.CONNECTING,
-      bufferedAmount: 0,
-      extensions: "",
-      binaryType: "blob"
-    };
-
-    WebSocket = function(url, protocol)
-    {
-      var storage = {
-        url: url,
-        protocol: protocol,
-        queue: [],
-        blocked: false,
-        websocket: null
-      };
-      instanceStorage.set(this, storage);
-
+    var closeWebSocket = Function.prototype.call.bind(RealWebSocket.prototype.close);
+    var addEventListener = document.addEventListener.bind(document);
+    var removeEventListener = document.removeEventListener.bind(document);
+    var dispatchEvent = document.dispatchEvent.bind(document);
+    var CustomEvent = window.CustomEvent;
+
+    function checkRequest(url, callback)
+    {
       var incomingEventName = eventName + "-" + url;
       function listener(event)
       {
-        storage.blocked = event.detail;
-        if (!storage.blocked)
-        {
-          storage.websocket = new RealWebSocket(url, protocol);
-          processQueue(storage.queue, storage.websocket);
-        }
-        delete storage.queue; // FIXME onerror!?

[kzar, 2016/07/06 16:39:20]

So far I don't fire the error / close event when a WebSocket connection is
blocked.

I could do that here but I'm not sure how to reproduce the event properly, for
example isTrusted! Closest I can think to do is to create a new WebSocket with a
bogus URL, providing their onerror listener. Of course they could then check the
URL...

[kzar, 2016/07/07 07:51:31]

Note: My earlier implementation which always created a WebSocket but then called
.close() if blocked didn't have this limitation. A real close event was fired.

If you really insist that we don't just do that again we could still do
something similar. We could create a WebSocket when the block/allow result comes
back, but then immediately close it if blocked. That would be even less likely
to leak connections than the earlier implementation. (And I never witnessed the
earlier implementation leaking connections anyway.)

-
-        document.removeEventListener(incomingEventName, listener);
-      }
-      document.addEventListener(incomingEventName, listener);
-
-      document.dispatchEvent(new CustomEvent(eventName, {
-        detail: {url: url, protocol: protocol}
+        callback(event.detail);
+        removeEventListener(incomingEventName, listener);
+      }
+      addEventListener(incomingEventName, listener);
+
+      dispatchEvent(new CustomEvent(eventName, {
+        detail: {url: url}
       }));
-    };
-
-    function proxyProperties(original)
-    {
-      var properties = Object.create(null);
-
-      Object.keys(original).map(function(key)
-      {
-        if (key == "prototype")

[kzar, 2016/07/06 16:39:20]

(For Safari)

-          return;
-
-        var descriptor = Object.getOwnPropertyDescriptor(original, key);
-
-        if (typeof descriptor.value == "function")
-        {
-          descriptor.value = function()
-          {
-            var storage = instanceStorage.get(this);
-            if (!storage)

[kzar, 2016/07/06 16:39:20]

So that the "Uncaught TypeError: Illegal invocation(…)" exception is thrown when
doing something like `WebSocket.prototype.send(...)`. (Similar below too.)

-              original[key].apply(original, arguments);
-            if (storage.websocket)
-              storage.websocket[key].apply(storage.websocket, arguments);
-            else if (!storage.blocked)
-              storage.queue.push(["call", key, arguments]);
-          };
-        }
-        else if (typeof descriptor.value == "undefined")
-        {
-          descriptor.get = function()
-          {
-            var storage = instanceStorage.get(this);
-            if (!storage)
-              return original[key];
-            if (storage.websocket)
-              return storage.websocket[key];
-            if (storage.blocked && key == "readyState")
-              return RealWebSocket.CLOSED;
-            if (key == "url" || key == "protocol")
-              return storage[key];
-            if (key in defaults)
-              return defaults[key];
-            return null;
-          };
-          descriptor.set = function(value)
-          {
-            var storage = instanceStorage.get(this);
-            if (!storage)
-              original[key] = value;
-            else if (storage.websocket)
-              storage.websocket[key] = value;
-            else if (!storage.blocked)
-              storage.queue.push(["set", key, value]);
-            return value;
-          };
-        }
-        properties[key] = descriptor;
+    }
+
+    WebSocket = function WrappedWebSocket(url, protocols)
+    {
+      // Throw correct exceptions if the constructor is used improperly.
+      if (!(this instanceof WrappedWebSocket)) return RealWebSocket();
+      if (arguments.length < 1) return new RealWebSocket();
+
+      var websocket = new RealWebSocket(url, protocols);
+
+      checkRequest(websocket.url, function(blocked)
+      {
+        if (blocked)
+          closeWebSocket(websocket);
       });
-      return properties;
-    }
-
-    Object.defineProperties(WebSocket, proxyProperties(RealWebSocket));
-    WebSocket.prototype = Object.create(
-      RealWebSocket.prototype.__proto__,
-      proxyProperties(RealWebSocket.prototype)
-    );
-  }
-
-  injectJS(wrapper, eventName);
+
+      return websocket;
+    }.bind();
+
+    Object.defineProperties(WebSocket, {
+      CONNECTING: {value: RealWebSocket.CONNECTING, enumerable: true},
+      OPEN: {value: RealWebSocket.OPEN, enumerable: true},
+      CLOSING: {value: RealWebSocket.CLOSING, enumerable: true},
+      CLOSED: {value: RealWebSocket.CLOSED, enumerable: true},
+      prototype: {value: RealWebSocket.prototype}
+    });
+
+    RealWebSocket.prototype.constructor = WebSocket;
+  }, eventName);
 }
 
 function init(document)
 {
   var shadow = null;
   var style = null;
   var observer = null;
   var tracer = null;
 
   wrapWebSocket();
@@ skipping 161 matching lines @@
   }, true);
 
   return updateStylesheet;
 }
 
 if (document instanceof HTMLDocument)
 {
   checkSitekey();
   window.updateStylesheet = init(document);
 }