lib/csp.js - Issue 29394585: Issue 5027 - Use updated webRequest API for WebSocket blocking

Delta Between Two Patch Sets: lib/csp.js

Issue 29394585: Issue 5027 - Use updated webRequest API for WebSocket blocking (Closed)

Left Patch Set: fixed logic at websocket wrapper Created March 27, 2017, 12:36 p.m.

Right Patch Set: change commit message, add chrome version to include.preload.js comments Created March 29, 2017, 12:04 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-2017 eyeo GmbH	3 * Copyright (C) 2006-2017 eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

12 * GNU General Public License for more details.	12 * GNU General Public License for more details.

13 *	13 *

14 * You should have received a copy of the GNU General Public License	14 * You should have received a copy of the GNU General Public License

15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.	15 * along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.

16 */	16 */

17	17

18 "use strict";	18 "use strict";

19	19

	20 // Before Chrome 58, the webRequest API did not intercept WebSocket

	21 // connections (see https://crbug.com/129353). Hence we inject CSP headers,

	22 // below, as a workaround.

20 if (!("WEBSOCKET" in chrome.webRequest.ResourceType))	23 if (!("WEBSOCKET" in chrome.webRequest.ResourceType))
kzar 2017/03/28 05:38:13 Mind adding a comment to explain why you're making Mind adding a comment to explain why you're making this check? Include something like "...versions of Chrome before 58..." so that it's clear when the code can be removed in the future. Jon Sonesen 2017/03/28 13:03:14 Acknowledged. Show quoted text On 2017/03/28 05:38:13, kzar wrote: > Mind adding a comment to explain why you're making this check? Include something > like "...versions of Chrome before 58..." so that it's clear when the code can > be removed in the future. Acknowledged.
21 {	24 {

22 const {defaultMatcher} = require("matcher");	25 const {defaultMatcher} = require("matcher");

23 const {BlockingFilter, RegExpFilter} = require("filterClasses");	26 const {BlockingFilter, RegExpFilter} = require("filterClasses");

24 const {getDecodedHostname} = require("url");	27 const {getDecodedHostname} = require("url");

25 const {checkWhitelisted} = require("whitelisting");	28 const {checkWhitelisted} = require("whitelisting");

26	29

27 chrome.webRequest.onHeadersReceived.addListener(details =>	30 chrome.webRequest.onHeadersReceived.addListener(details =>

28 {	31 {

29 let hostname = getDecodedHostname(new URL(details.url));	32 let hostname = getDecodedHostname(new URL(details.url));

30 let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET,	33 let match = defaultMatcher.matchesAny("", RegExpFilter.typeMap.WEBSOCKET,

31 hostname, false, null, true);	34 hostname, false, null, true);

32 if (match instanceof BlockingFilter &&	35 if (match instanceof BlockingFilter &&

33 !checkWhitelisted(new ext.Page({id: details.tabId}),	36 !checkWhitelisted(new ext.Page({id: details.tabId}),

34 ext.getFrame(details.tabId, details.frameId)))	37 ext.getFrame(details.tabId, details.frameId)))

35 {	38 {

36 details.responseHeaders.push({	39 details.responseHeaders.push({

37 name: "Content-Security-Policy",	40 name: "Content-Security-Policy",

38 // We're blocking WebSockets here by adding a connect-src restriction	41 // We're blocking WebSockets here by adding a connect-src restriction

39 // since the Chrome extension API does not allow us to intercept them.	42 // since the Chrome extension API does not allow us to intercept them.

40 // https://bugs.chromium.org/p/chromium/issues/detail?id=129353	43 // https://bugs.chromium.org/p/chromium/issues/detail?id=129353

41 //	44 //

42 // We also need the frame-src and object-src restrictions since CSPs are	45 // We also need the frame-src and object-src restrictions since CSPs

43 // not inherited from the parent for documents with data: and blob: URLs .	46 // are not inherited from the parent for documents with data: and blob:
kzar 2017/03/28 05:38:13 Please run ESLint on your changes to catch over-lo Please run ESLint on your changes to catch over-long lines like this. (Yes until my changes land for that you'll have to diff the output before and after your changes to see what new errors you've caused.) Jon Sonesen 2017/03/28 13:03:14 No problem, additionally what is the opinion on th Show quoted text On 2017/03/28 05:38:13, kzar wrote: > Please run ESLint on your changes to catch over-long lines like this. (Yes until > my changes land for that you'll have to diff the output before and after your > changes to see what new errors you've caused.) No problem, additionally what is the opinion on this line? It goes over only two characters...do you think it is aceptable to just remove the colons in 'blob:' and 'data:'? Sebastian Noack 2017/03/28 13:48:08 Without the colons, I find this rather confusing. Show quoted text On 2017/03/28 13:03:14, Jon Sonesen wrote: > On 2017/03/28 05:38:13, kzar wrote: > > Please run ESLint on your changes to catch over-long lines like this. (Yes > until > > my changes land for that you'll have to diff the output before and after your > > changes to see what new errors you've caused.) > > No problem, additionally what is the opinion on this line? It goes over only two > characters...do you think it is aceptable to just remove the colons in 'blob:' > and 'data:'? Without the colons, I find this rather confusing. The colon indicates that we are talking about a known/standard URL scheme. Without them you have to think more when deriving the context. Also the line above isn' any shorter, so this alone wouldn't be sufficient anyway. If you don't want to rewrap this paragraph for some reason, another options would be going with "frame-src/object-src" and "data:/blob:", not sure if this is any better though.
44 // https://bugs.chromium.org/p/chromium/issues/detail?id=513860	47 // URLs, see https://crbug.com/513860.

45 //	48 //

46 // We must use the deprecated child-src directive instead of worker-src	49 // We must use the deprecated child-src directive instead of worker-src

47 // since that's not supported yet (as of Chrome 56.)	50 // since that's not supported yet (as of Chrome 56.)

48 //	51 //

49 // "http:" also includes "https:" implictly.	52 // "http:" also includes "https:" implictly.

50 // https://www.chromestatus.com/feature/6653486812889088	53 // https://www.chromestatus.com/feature/6653486812889088

51 value: "connect-src http:; child-src http:; frame-src http:; object-src http:"	54 value: "connect-src http:; child-src http:; frame-src http:; object-src http:"

52 });	55 });

53 return {responseHeaders: details.responseHeaders};	56 return {responseHeaders: details.responseHeaders};

54 }	57 }

55 }, {	58 }, {

56 urls: ["http:///", "https:///"],	59 urls: ["http:///", "https:///"],

57 // We must also intercept script requests since otherwise Web Workers can	60 // We must also intercept script requests since otherwise Web Workers can

58 // be abused to execute scripts for which our Content Security Policy	61 // be abused to execute scripts for which our Content Security Policy

59 // won't be injected.	62 // won't be injected.

60 // https://github.com/gorhill/uBO-Extra/issues/19	63 // https://github.com/gorhill/uBO-Extra/issues/19

61 types: ["main_frame", "sub_frame", "script"]	64 types: ["main_frame", "sub_frame", "script"]

62 }, ["blocking", "responseHeaders"]);	65 }, ["blocking", "responseHeaders"]);

63 }	66 }

LEFT	RIGHT