"Protect" data URL pages by blocking outgoing requests

Fixes #208
2018-07-16 00:14:44 +02:00 · 2018-07-16 00:14:44 +02:00 · 47a9519ceb
parent 8ca23e37e1
commit 47a9519ceb
8 changed files with 95 additions and 3 deletions
--- a/_locales/de/messages.json
+++ b/_locales/de/messages.json
@ -699,6 +699,15 @@
 		"description": ""
 	},
 	
+	"blockRequestsFromDataURL_title": {
+		"message": "Anfragen von Data-URL Seiten blockieren",
+		"description": ""
+	},
+	"blockRequestsFromDataURL_description": {
+		"message": "Data-URL Seiten können nicht gegen Fingerprinting geschützt werden (siehe https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Indem Anfragen von Data-URL Seiten blockiert werden kann verhindert werden, dass der echte Fingerabdruck zu irgendeinem Server gelangt.",
+		"description": ""
+	},
+	
 	"showReleaseNotes_title": {
 		"message": "Versionsinformationen",
 		"description": ""
--- a/_locales/en/messages.json
+++ b/_locales/en/messages.json
@ -699,6 +699,15 @@
 		"description": ""
 	},
 	
+	"blockRequestsFromDataURL_title": {
+		"message": "Block requests from data URL pages",
+		"description": ""
+	},
+	"blockRequestsFromDataURL_description": {
+		"message": "Data URL pages cannot be protected agains fingerprinting (see https://bugzilla.mozilla.org/show_bug.cgi?id=1475831). Blocking requests from them prevents the real fingerprint to reach any server.",
+		"description": ""
+	},
+	
 	"showReleaseNotes_title": {
 		"message": "Release notes",
 		"description": ""
--- a/lib/dataUrls.js
+++ b/lib/dataUrls.js
@ -0,0 +1,50 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+(function(){
+	"use strict";
+	
+	var scope;
+	if ((typeof exports) !== "undefined"){
+		scope = exports;
+	}
+	else {
+		window.scope.dataUrls = {};
+		scope = window.scope.dataUrls;
+	}
+	
+	const logging = require("./logging");
+	const settings = require("./settings");
+	
+
+	const dataUrlFrames = new Set();
+	scope.init = function(){
+		browser.webRequest.onBeforeRequest.addListener(
+			function(details){
+				if (
+					details.url.startsWith("data:text")
+				){
+					dataUrlFrames.add(details.frameId);
+					logging.message("Detected data URL", details);
+				}
+				else if (
+					settings.blockRequestsFromDataURL &&
+					dataUrlFrames.has(details.frameId)
+				){
+					logging.warning("Blocking request from data-URL frame.", details);
+					if (
+						settings.get("showNotifications")
+					){
+						browser.pageAction.show(details.tabId);
+					}
+					return {cancel: true};
+				}
+			},
+			{
+				urls: ["<all_urls>"]
+			},
+			["blocking"]
+		);
+	};
+
+}());
--- a/lib/main.js
+++ b/lib/main.js
@ -141,6 +141,9 @@
 		}
 	});
 	
+	message("Initialize data-URL workaround.");
+	require("./dataUrls").init();
+	
 	browser.runtime.onInstalled.addListener(function(details){
 		function openOptions(reason){
 			if (
--- a/lib/settingDefinitions.js
+++ b/lib/settingDefinitions.js
@ -200,6 +200,10 @@
 				return Math.floor(Math.random() * 30).toString(10);
 			}
 		},
+		{
+			name: "blockRequestsFromDataURL",
+			defaultValue: true
+		},
 		{
 			name: "displayAdvancedSettings",
 			defaultValue: false
--- a/manifest.json
+++ b/manifest.json
@ -2,7 +2,7 @@
 {
 	"name": "CanvasBlocker",
 	"description": "__MSG_addon_description__",
-	"version": "0.4.6alpha",
+	"version": "0.5.0",
 	"icons": {
 		"48": "icons/icon.svg",
 		"96": "icons/icon.svg"
@ -15,6 +15,7 @@
 			"lib/logging.js",
 			"lib/lists.js",
 			"lib/persistentRndStorage.js",
+			"lib/dataUrls.js",
 			"lib/main.js"
 		]
 	},
@ -65,7 +66,9 @@
 		"<all_urls>",
 		"storage",
 		"tabs",
-		"activeTab"
+		"activeTab",
+		"webRequest",
+		"webRequestBlocking"
 	],
 	
 	"applications": {
--- a/options/settingsDisplay.js
+++ b/options/settingsDisplay.js
@ -379,6 +379,12 @@
 			]
 		},
 		"misc",
+		{
+			"name": "blockRequestsFromDataURL",
+			"displayDependencies": {
+				"displayAdvancedSettings": [true]
+			}
+		},
 		{
 			"name": "showReleaseNotes"
 		},
--- a/releaseNotes.txt
+++ b/releaseNotes.txt
@ -1,4 +1,4 @@
-Version 0.4.6:
+Version 0.5.0:
 	changes:
 		- Changes in the random supply API
 		- Added grouping to API white list
@ -10,6 +10,14 @@ Version 0.4.6:
 	
 	fixes:
 		- make function replacements not detectable
+		- "protect" data URL pages by blocking all requests from them
+	
+	removed fixes:
+		- display of about:blank broken in Waterfox
+		  reason: it should help protect data URL pages in the future
+	
+	known issues:
+		- if a data URL request is blocked the page action button appears but shown no content

 Version 0.4.5c:
 	new features: