1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
/** \file
* \brief Wrappers for XMLHttpRequest standard
*
* \see https://xhr.spec.whatwg.org/
*
* \author Copyright (C) 2019 Libor Polcak
* \author Copyright (C) 2021 Giorgio Maone
*
* \license SPDX-License-Identifier: GPL-3.0-or-later
*/
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
//
/** \file
* \ingroup wrappers
*
* XHR may be misused to exfiltrate data from the browser to the server.
* We provide a wrapper that either blocks all XHR requests or lets the
* user decide.
*
* \bug There are two flaws in the current implementation:
*
* * There are many ways (see e.g. https://github.com/cure53/HTTPLeaks) to replace
* XHR and consequently evade the wrapper. This can be mitigating by monitoring
* the requests using Web Request API.
* * The confirm method puts a lot of responsibility on the user who needs to
* have a good knowledge about the requests on each visited page.
*
* \note We expect to remove the wrapper once we release JShelter
* with Fingerprint Detector (FPD). FPD should solve both issues above.
*/
/*
* Create private namespace
*/
(function() {
var wrappers = [
{
parent_object: "XMLHttpRequest.prototype",
parent_object_property: "open",
wrapped_objects: [
{
original_name: "XMLHttpRequest.prototype.open",
wrapped_name: "originalOpen",
},
],
helping_code: "var blockEveryXMLHttpRequest = args[0]; var confirmEveryXMLHttpRequest = args[1];",
wrapping_function_args: "...args",
wrapping_function_body: `
let {XHR_blocked} = WrapHelper.shared;
if (blockEveryXMLHttpRequest || (confirmEveryXMLHttpRequest && !confirm('There is a XMLHttpRequest on URL ' + args[1] + '. Do you want to continue?'))) {
XHR_blocked.add(this);
return [];
}
XHR_blocked.delete(this);
return originalOpen.call(this, ...args);
`,
},
{
parent_object: "XMLHttpRequest.prototype",
parent_object_property: "send",
wrapped_objects: [
{
original_name: "XMLHttpRequest.prototype.send",
wrapped_name: "originalSend",
},
],
helping_code: "WrapHelper.shared.XHR_blocked = new WeakSet();",
wrapping_function_args: "...args",
wrapping_function_body: `
if (!WrapHelper.shared.XHR_blocked.has(this)) return originalSend.call(this, ...args);
`,
},
]
add_wrappers(wrappers);
})()
|