Issue 6544 - Prevent requests sent by Chrome or Adblock Plus from being blocked

lib/requestBlocker.js

Index: lib/requestBlocker.js
===================================================================
--- a/lib/requestBlocker.js
+++ b/lib/requestBlocker.js
@@ -29,6 +29,9 @@
 const {port} = require("messaging");
 const devtools = require("devtools");
 
+const extensionProtocol = new URL(browser.extension.getURL("")).protocol;
+const ignoredOrigins = new Set([extensionProtocol, "chrome:"]);
+
 // Chrome can't distinguish between OBJECT_SUBREQUEST and OBJECT requests.
 if (!browser.webRequest.ResourceType ||
     !("OBJECT_SUBREQUEST" in browser.webRequest.ResourceType))
@@ -128,23 +131,24 @@
       url.protocol != "ws:" && url.protocol != "wss:")
     return;
 
-  let originUrl = null;
-  if (details.originUrl)
-  {
-    originUrl = new URL(details.originUrl);
+  // Firefox provides us with the full origin URL, while Chromium (>=63)
+  // provides only the protocol + host of the (top-level) document which
+  // the request originates from through the "initiator" property.
+  let originUrl = details.originUrl ? new URL(details.originUrl) :
+                  details.initiator ? new URL(details.initiator) : null;
 
-    // Firefox (only) allows to intercept requests sent by the browser
-    // and other extensions. We don't want to block these.
-    if (originUrl.protocol == "chrome:" ||
-        originUrl.protocol == "moz-extension:")
-      return;
-  }
-  // Fallback to "initiator" on Chrome >=63. It doesn't include the
-  // path (unlike "originUrl" on Firefox), but is still good enough
-  // (in case the tab/frame is unknown) for the $domain filter option
-  // and most document exception rules which only match the domain part.
-  else if (details.initiator)
-    originUrl = new URL(details.initiator);
+  // Ignore requests sent by extensions or by the browser itself:
+  // * Firefox intercepts requests sent by any extensions, indicated with
+  //   an "originURL" starting with "moz-extension:".
+  // * Chromium intercepts requests sent by this extension only, indicated
+  //   on Chromium >=63 with an "initiator" starting with "chrome-extension:".
+  // * On Firefox, requests that don't relate to any document or extension are
+  //   indicated with an "originUrl" starting with "chrome:".
+  // * On Chromium >=63, requests that don't relate to any document or extension
+  //   have no "initiator". But since on older Chromium versions, no request
+  //   has an "initiator", we have to check for the tabId as well.
+  if (originUrl ? ignoredOrigins.has(originUrl.protocol) : details.tabId == -1)

[kzar, 2018/04/06 14:48:10]

Or perhaps like this?

if (originUrl && ignoredOrigins.has(originUrl.protocol) || details.tabId == -1)
  return;

Or even better IMO (so you can comment each part separately)

if (originUrl && ignoredOrigins.has(originUrl.protocol))
  return;

if (details.tabId == -1)
  return;

[Sebastian Noack, 2018/04/06 17:55:46]

These checks aren't equivalent. We only want to bail if we neither have a valid
tabId nor an originUrl. Otherwise requests sent by Service Workers would be
ignored too.

[kzar, 2018/04/09 11:08:44]

Ah right I see. Thing is I think this demonstrates how this nested conditional
is kind of confusing. I know it doesn't look as pretty but I think it's better
to do it with if... else..., it's way more obvious that way.

if (originURL)
{
  if (ignoredOrigins.has(originURL.protocol))
    return;
}
else if (details.tabId == -1)
  return;

[Sebastian Noack, 2018/04/09 21:37:16]

I don't see how the ternary operation is any more complicated to parse (for
humans) than binary logical operations. But fine, here you go.

+    return;
 
   let page = null;
   let frame = null;