Updated extensions:

 * Upgraded Privacy Redirect to 1.1.49 and configured to use the 10 most reliable invidious instances
 * Removed ViewTube
 * Added torproxy@icecat.gnu based on 'Proxy toggle' extension
 * Added jShelter 0.11.1
 * Upgraded LibreJS to 7.21.0
 * Upgraded HTTPS Everywhere to 2021.7.13
 * Upgraded SubmitMe to 1.9

1 files changed, 89 insertions, 0 deletions

diff --git a/data/extensions/jsr@javascriptrestrictor/wrappingS-AJAX.js b/data/extensions/jsr@javascriptrestrictor/wrappingS-AJAX.js
new file mode 100644
index 0000000..751eb72
--- /dev/null
+++ b/data/extensions/jsr@javascriptrestrictor/wrappingS-AJAX.js
@@ -0,0 +1,89 @@
+/** \file
+ * \brief Wrappers for XMLHttpRequest standard
+ *
+ * \see https://xhr.spec.whatwg.org/
+ *
+ *  \author Copyright (C) 2019  Libor Polcak
+ *  \author Copyright (C) 2021  Giorgio Maone
+ *
+ *  \license SPDX-License-Identifier: GPL-3.0-or-later
+ */
+//  This program is free software: you can redistribute it and/or modify
+//  it under the terms of the GNU General Public License as published by
+//  the Free Software Foundation, either version 3 of the License, or
+//  (at your option) any later version.
+//
+//  This program is distributed in the hope that it will be useful,
+//  but WITHOUT ANY WARRANTY; without even the implied warranty of
+//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//  GNU General Public License for more details.
+//
+//  You should have received a copy of the GNU General Public License
+//  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+//
+
+/** \file
+ * \ingroup wrappers
+ *
+ * XHR may be misused to exfiltrate data from the browser to the server.
+ * We provide a wrapper that either blocks all XHR requests or lets the
+ * user decide.
+ *
+ * \bug There are two flaws in the current implementation:
+ *
+ *  * There are many ways (see e.g. https://github.com/cure53/HTTPLeaks) to replace
+ *    XHR and consequently evade the wrapper. This can be mitigating by monitoring
+ *    the requests using Web Request API.
+ *  * The confirm method puts a lot of responsibility on the user who needs to
+ *    have a good knowledge about the requests on each visited page.
+ *
+ * \note We expect to remove the wrapper once we release JShelter
+ * with Fingerprint Detector (FPD). FPD should solve both issues above.
+ */
+
+
+/*
+ * Create private namespace
+ */
+(function() {
+	var wrappers = [
+		{
+			parent_object: "XMLHttpRequest.prototype",
+			parent_object_property: "open",
+			wrapped_objects: [
+				{
+					original_name: "XMLHttpRequest.prototype.open",
+					wrapped_name: "originalOpen",
+				},
+			],
+			helping_code: "var blockEveryXMLHttpRequest = args[0]; var confirmEveryXMLHttpRequest = args[1];",
+			wrapping_function_args: "...args",
+			wrapping_function_body: `
+					let {XHR_blocked} = WrapHelper.shared;
+					if (blockEveryXMLHttpRequest || (confirmEveryXMLHttpRequest && !confirm('There is a XMLHttpRequest on URL ' + args[1] + '. Do you want to continue?'))) {
+						XHR_blocked.add(this);
+						return [];
+					}
+					XHR_blocked.delete(this);
+					return originalOpen.call(this, ...args);
+				`,
+		},
+		{
+			parent_object: "XMLHttpRequest.prototype",
+			parent_object_property: "send",
+			wrapped_objects: [
+				{
+					original_name: "XMLHttpRequest.prototype.send",
+					wrapped_name: "originalSend",
+				},
+			],
+
+			helping_code: "WrapHelper.shared.XHR_blocked = new WeakSet();",
+			wrapping_function_args: "...args",
+			wrapping_function_body: `
+					if (!WrapHelper.shared.XHR_blocked.has(this)) return originalSend.call(this, ...args);
+				`,
+		},
+	]
+	add_wrappers(wrappers);
+})()