Restrict XHR handling to one trusted domain

2025-12-23 23:38:39 -05:00 · 2018-05-18 00:14:39 +02:00
parent 060177935e
commit ba330010e7
4 changed files with 28 additions and 2 deletions
--- a/.eslintrc
+++ b/.eslintrc
@@ -21,6 +21,7 @@
    "shorthands": true,
    "stateManager": true,
    "WebRequest": true,
+    "WebRequestType": true,
    "Whitelist": true,
    "wrappers": true
  },
--- a/core/constants.js
+++ b/core/constants.js
@@ -47,7 +47,8 @@ const Setting = {
    'SHOW_ICON_BADGE': 'showIconBadge',
    'SHOW_RELEASE_NOTES': 'showReleaseNotes',
    'STRIP_METADATA': 'stripMetadata',
-    'WHITELISTED_DOMAINS': 'whitelistedDomains'
+    'WHITELISTED_DOMAINS': 'whitelistedDomains',
+    'XHR_TEST_DOMAIN': 'xhrTestDomain'
 };

 const WebRequest = {
@@ -56,6 +57,10 @@ const WebRequest = {
    'HEADERS': 'requestHeaders'
 };

+const WebRequestType = {
+    'XHR': 'xmlhttprequest'
+};
+
 const Whitelist = {
    'TRIM_EXPRESSION': /^;+|;+$/g,
    'VALUE_SEPARATOR': ';'
--- a/core/interceptor.js
+++ b/core/interceptor.js
@@ -42,6 +42,13 @@ interceptor.handleRequest = function (requestDetails, tabIdentifier, tab) {
        tabDomain = Address.EXAMPLE;
    }

+    if (requestDetails.type === WebRequestType.XHR) {
+
+        if (tabDomain !== interceptor.xhrTestDomain) {
+            return interceptor._handleMissingCandidate(requestDetails.url);
+        }
+    }
+
    // Temporary list of undetectable tainted domains.
    let undetectableTaintedDomains = {
        '10fastfingers.com': true,
@@ -125,6 +132,10 @@ interceptor._handleMissingCandidate = function (requestUrl) {

 interceptor._handleStorageChanged = function (changes) {

+    if (Setting.XHR_TEST_DOMAIN in changes) {
+        interceptor.xhrTestDomain = changes.xhrTestDomain.newValue;
+    }
+
    if (Setting.BLOCK_MISSING in changes) {
        interceptor.blockMissing = changes.blockMissing.newValue;
    }
@@ -137,9 +148,17 @@ interceptor._handleStorageChanged = function (changes) {
 interceptor.amountInjected = 0;
 interceptor.blockMissing = false;

-chrome.storage.local.get([Setting.AMOUNT_INJECTED, Setting.BLOCK_MISSING], function (items) {
+interceptor.relatedSettings = [
+
+    Setting.AMOUNT_INJECTED,
+    Setting.XHR_TEST_DOMAIN,
+    Setting.BLOCK_MISSING
+];
+
+chrome.storage.local.get(interceptor.relatedSettings, function (items) {

    interceptor.amountInjected = items.amountInjected || 0;
+    interceptor.xhrTestDomain = items.xhrTestDomain || 'decentraleyes.org';
    interceptor.blockMissing = items.blockMissing || false;
 });

--- a/core/main.js
+++ b/core/main.js
@@ -26,6 +26,7 @@ var main = {};
 main._initializeOptions = function () {

    let optionDefaults = {
+        [Setting.XHR_TEST_DOMAIN]: 'decentraleyes.org',
        [Setting.SHOW_ICON_BADGE]: true,
        [Setting.BLOCK_MISSING]: false,
        [Setting.DISABLE_PREFETCH]: true,