summaryrefslogtreecommitdiff
path: root/data/extensions/https-everywhere-eff@eff.org/chrome/content/code/HTTPS.js
diff options
context:
space:
mode:
Diffstat (limited to 'data/extensions/https-everywhere-eff@eff.org/chrome/content/code/HTTPS.js')
-rw-r--r--data/extensions/https-everywhere-eff@eff.org/chrome/content/code/HTTPS.js330
1 files changed, 0 insertions, 330 deletions
diff --git a/data/extensions/https-everywhere-eff@eff.org/chrome/content/code/HTTPS.js b/data/extensions/https-everywhere-eff@eff.org/chrome/content/code/HTTPS.js
deleted file mode 100644
index c7328f6..0000000
--- a/data/extensions/https-everywhere-eff@eff.org/chrome/content/code/HTTPS.js
+++ /dev/null
@@ -1,330 +0,0 @@
-INCLUDE('Cookie');
-
-var securityService = CC['@mozilla.org/ssservice;1']
- .getService(CI.nsISiteSecurityService);
-
-// Hack. We only need the part of the policystate that tracks content
-// policy loading.
-const PolicyState = {
- attach: function(channel) {
- IOUtil.attachToChannel(channel, "httpseverywhere.policyLoaded", true);
- },
-
- extract: function(channel) {
- var res = IOUtil.extractFromChannel(channel,
- "httpseverywhere.policyLoaded", true);
- return res;
- },
-};
-
-const HTTPS = {
- ready: false,
-
- secureCookies: true,
- secureCookiesExceptions: null,
- secureCookiesForced: null,
- httpsForced: null,
- httpsForcedExceptions: null,
- httpsRewrite: null,
-
- /**
- * Given a channel and a list of potentially applicable rules,
- * redirect or abort a request if appropriate.
- *
- * @param {RuleSet[]} applicable_list A list of potentially applicable rules
- * (i.e. those that match on a hostname basis).
- * @param {nsIChannel} channel The channel to be manipulated.
- * @param {boolean} httpNowhereEnabled Whether to abort non-https requests.
- * @returns {boolean} True if the request was redirected; false if it was
- * untouched or aborted.
- */
- replaceChannel: function(applicable_list, channel, httpNowhereEnabled) {
- var blob = HTTPSRules.rewrittenURI(applicable_list, channel.URI.clone());
- var uri;
- if (blob === null) {
- // Abort insecure non-onion, non-localhost requests if HTTP Nowhere is on
- if (httpNowhereEnabled &&
- channel.URI.schemeIs("http") &&
- !/\.onion$/.test(channel.URI.host) &&
- !/^localhost$/.test(channel.URI.host) &&
- !/^127(\.[0-9]{1,3}){3}$/.test(channel.URI.host) &&
- !/^0\.0\.0\.0$/.test(channel.URI.host)
- ) {
- var newurl = channel.URI.spec.replace(/^http:/, "https:");
- uri = CC["@mozilla.org/network/standard-url;1"].
- createInstance(CI.nsIStandardURL);
- uri.init(CI.nsIStandardURL.URLTYPE_STANDARD, 443,
- newurl, channel.URI.originCharset, null);
- uri = uri.QueryInterface(CI.nsIURI);
- } else {
- return false; // no rewrite
- }
- } else {
- uri = blob.newuri;
- }
- if (!uri) this.log(WARN, "OH NO BAD ARGH\nARGH");
-
- // Abort downgrading if HTTP Nowhere is on
- if (httpNowhereEnabled && uri.schemeIs("http")) {
- IOUtil.abort(channel);
- }
-
- var c2 = channel.QueryInterface(CI.nsIHttpChannel);
- this.log(DBUG, channel.URI.spec+": Redirection limit is " + c2.redirectionLimit);
- // XXX This used to be (c2.redirectionLimit == 1), but that's very
- // inefficient in a case (eg amazon) where this may happen A LOT.
- // Rather than number like 10, we should use the starting value
- // in network.http.redirection-limit minus some counter
- if (c2.redirectionLimit < 10) {
- this.log(WARN, "Redirection loop trying to set HTTPS on:\n " +
- channel.URI.spec +"\n(falling back to HTTP)");
- if (blob) {
- if (!blob.applied_ruleset) {
- this.log(WARN,"Blacklisting rule for: " + channel.URI.spec);
- https_everywhere_blacklist[channel.URI.spec] = true;
- }
- https_everywhere_blacklist[channel.URI.spec] = blob.applied_ruleset;
- }
- var domain = null;
- try { domain = channel.URI.host; } catch (e) {}
- if (domain) https_blacklist_domains[domain] = true;
- if (httpNowhereEnabled && channel.URI.schemeIs("http")) {
- IOUtil.abort(channel);
- }
- return false;
- }
-
- // Check for the new internal redirect API. If it exists, use it.
- if (!"redirectTo" in channel) {
- this.log(WARN, "nsIHTTPChannel.redirectTo API is missing. This version of HTTPS Everywhere is useless!!!!\n!!!\n");
- return false;
- }
-
- this.log(INFO, "Using nsIHttpChannel.redirectTo: " + channel.URI.spec + " -> " + uri.spec);
- try {
- channel.redirectTo(uri);
- return true;
- } catch(e) {
- // This should not happen. We should only get exceptions if
- // the channel was already open.
- this.log(WARN, "Exception on nsIHttpChannel.redirectTo: "+e);
- }
- this.log(WARN,"Aborting redirection " + channel.name + ", should be HTTPS!");
- IOUtil.abort(channel);
- return false;
- },
-
- // getApplicableListForContext was remove along with the nsIContentPolicy
- // bindings and the and forceURI path that used them.
-
- onCrossSiteRequest: function(channel, origin, browser, rw) {
- try {
- this.handleCrossSiteCookies(channel, origin, browser);
- } catch(e) {
- this.log(WARN, e + " --- " + e.stack);
- }
- },
-
- registered: false,
- handleSecureCookies: function(req) {
-
- try {
- req = req.QueryInterface(CI.nsIHttpChannel);
- } catch(e) {
- this.log(WARN, "Request is not an nsIHttpChannel: " + req);
- return;
- }
- if (!this.secureCookies) return;
- var uri = req.URI;
- if (!uri) {
- this.log(WARN,"No URI inside request " +req);
- return;
- }
- //this.log(DBUG, "Cookie hunting in " + uri.spec);
- var alist = HTTPSEverywhere.instance.getApplicableListForChannel(req);
- if (!alist)
- this.log(INFO, "No alist for cookies for "+(req.URI) ? req.URI.spec : "???");
-
- if (uri.schemeIs("https")) {
- var host = uri.host;
- try {
- var cookies = req.getResponseHeader("Set-Cookie");
- } catch(mayHappen) {
- //this.log(VERB,"Exception hunting Set-Cookie in headers: " + mayHappen);
- return;
- }
- if (!cookies) return;
- var c;
- for (var cs of cookies.split("\n")) {
- this.log(DBUG, "Examining cookie: ");
- c = new Cookie(cs, host);
- if (!c.secure && HTTPSRules.shouldSecureCookie(alist, c, true)) {
- this.log(INFO, "Securing cookie: " + c.domain + " " + c.name);
- c.secure = true;
- req.setResponseHeader("Set-Cookie", c.source + ";Secure", true);
- }
- }
-
- }
- },
-
- handleInsecureCookie: function(c) {
- if (HTTPSRules.shouldSecureCookie(null, c, false)) {
- this.log(INFO, "Securing cookie from event: " + c.host + " " + c.name);
- var cookieManager = Components.classes["@mozilla.org/cookiemanager;1"]
- .getService(Components.interfaces.nsICookieManager2);
- //some braindead cookies apparently use umghzabilliontrabilions
- var expiry = Math.min(c.expiry, Math.pow(2,31));
- cookieManager.remove(c.host, c.name, c.path, false, c.originAttributes);
- cookieManager.add(c.host, c.path, c.name, c.value, true, c.isHTTPOnly, c.isSession, expiry, c.originAttributes);
- }
- },
-
- handleCrossSiteCookies: function(req, origin, browser) {
-
- var unsafeCookies = this.getUnsafeCookies(browser);
- if (!unsafeCookies) return;
-
- var uri = req.URI;
- var dscheme = uri.scheme;
-
- var oparts = origin && origin.match(/^(https?):\/\/([^\/:]+).*?(\/.*)/);
- if (!(oparts && /https?/.test(dscheme))) return;
-
- var oscheme = oparts[1];
- if (oscheme == dscheme) return; // we want to check only cross-scheme requests
-
- var dsecure = dscheme == "https";
-
- if (dsecure && !ns.getPref("secureCookies.recycle", false)) return;
-
- var dhost = uri.host;
- var dpath = uri.path;
-
- var ohost = oparts[2];
- var opath = oparts[3];
-
- var ocookieCount = 0, totCount = 0;
- var dcookies = [];
- var c;
-
- for (var k in unsafeCookies) {
- c = unsafeCookies[k];
- if (!c.exists()) {
- delete unsafeCookies[k];
- } else {
- totCount++;
- if (c.belongsTo(dhost, dpath) && c.secure != dsecure) { // either secure on http or not secure on https
- dcookies.push(c);
- }
- if (c.belongsTo(ohost, opath)) {
- ocookieCount++;
- }
- }
- }
-
- if (!totCount) {
- this.setUnsafeCookies(browser, null);
- return;
- }
-
- // We want to "desecurify" cookies only if cross-navigation to unsafe
- // destination originates from a site sharing some secured cookies
-
- if (ocookieCount == 0 && !dsecure || !dcookies.length) return;
-
- if (dsecure) {
- this.log(WARN,"Detected cross-site navigation with secured cookies: " + origin + " -> " + uri.spec);
-
- } else {
- this.log(WARN,"Detected unsafe navigation with NoScript-secured cookies: " + origin + " -> " + uri.spec);
- this.log(WARN,uri.prePath + " cannot support secure cookies because it does not use HTTPS. Consider forcing HTTPS for " + uri.host + " in NoScript's Advanced HTTPS options panel.");
- }
-
- var cs = CC['@mozilla.org/cookieService;1'].getService(CI.nsICookieService).getCookieString(uri, req);
-
- for (c of dcookies) {
- c.secure = dsecure;
- c.save();
- this.log(WARN,"Toggled secure flag on " + c);
- }
-
- if (cs) {
- dcookies.push.apply(
- dcookies, cs.split(/\s*;\s*/).map(function(cs) { var nv = cs.split("="); return { name: nv.shift(), value: nv.join("=") }; })
- .filter(function(c) { return dcookies.every(function(x) { return x.name != c.name; }); })
- );
- }
-
- cs = dcookies.map(function(c) { return c.name + "=" + c.value; }).join("; ");
-
- this.log(WARN,"Sending Cookie for " + dhost + ": " + cs);
- req.setRequestHeader("Cookie", cs, false); // "false" because merge syntax breaks Cookie header
- },
-
-
- cookiesCleanup: function(refCookie) {
- var ignored = this.secureCookiesExceptions;
- var disabled = !this.secureCookies;
- var bi = DOM.createBrowserIterator();
- var unsafe, k, c, total, deleted;
- for (var browser; browser = bi.next();) {
- unsafe = this.getUnsafeCookies(browser);
- if (!unsafe) continue;
- total = deleted = 0;
- for (k in unsafe) {
- c = unsafe[k];
- total++;
- if (disabled || (refCookie ? c.belongsTo(refCookie.host) : ignored && ignored.test(c.rawHost))) {
- if (c.exists()) {
- this.log(WARN,"Cleaning Secure flag from " + c);
- c.secure = false;
- c.save();
- }
- delete unsafe[k];
- deleted++;
- }
- }
- if (total == deleted) this.setUnsafeCookies(browser, null);
- if (!this.cookiesPerTab) break;
- }
- },
-
- get cookiesPerTab() {
- return ns.getPref("secureCookies.perTab", false);
- },
-
- _globalUnsafeCookies: {},
- getUnsafeCookies: function(browser) {
- return this.cookiesPerTab
- ? browser && ns.getExpando(browser, "unsafeCookies")
- : this._globalUnsafeCookies;
- },
- setUnsafeCookies: function(browser, value) {
- return this.cookiesPerTab
- ? browser && ns.setExpando(browser, "unsafeCookies", value)
- : this._globalUnsafeCookies = value;
- },
-
- _getParent: function(req, w) {
- return w && w.frameElement || DOM.findBrowserForNode(w || IOUtil.findWindow(req));
- }
-
-};
-
-(function () {
- ["secureCookies", "secureCookiesExceptions", "secureCookiesForced"].forEach(function(p) {
- var v = HTTPS[p];
- delete HTTPS[p];
- HTTPS.__defineGetter__(p, function() {
- return v;
- });
- HTTPS.__defineSetter__(p, function(n) {
- v = n;
- if (HTTPS.ready) HTTPS.cookiesCleanup();
- return v;
- });
- });
-})();
-
-HTTPS.ready = true;
home website