Project

General

Profile

« Previous | Next » 

Revision fba67f09

Added by koszko over 1 year ago

allow injected scripts to bypass CORS using provided API

View differences:

content/haketilo_apis.js
43 43
 */
44 44

  
45 45
#FROM common/browser.js IMPORT browser
46
#FROM common/misc.js    IMPORT error_data_jsonifiable
47

  
48
async function on_CORS_bypass(event) {
49
    const name = "haketilo_CORS_bypass";
50

  
51
    console.warn("delme event", event.detail);
52

  
53
    if (typeof event.detail.id   !== "string" ||
54
	typeof event.detail.data !== "string") {
55
	console.error(`Haketilo: Invalid detail for ${name}:`,
56
		      event.detail);
57
	return;
58
    }
59

  
60
    try {
61
	const data = JSON.parse(event.detail.data);
62
	var result = await browser.runtime.sendMessage(["CORS_bypass", data]);
63
	if (result === undefined)
64
	    throw new Error("Couldn't communicate with Haketilo background script.");
65
    } catch(e) {
66
	var result = {error: error_data_jsonifiable(e)};
67
    }
68

  
69
    const response_name = `${name}-${event.detail.id}`;
70
    const detail = JSON.stringify(result);
71
    window.dispatchEvent(new CustomEvent(response_name, {detail}));
72
}
46 73

  
47 74
function start() {
75
    window.addEventListener("haketilo_CORS_bypass", on_CORS_bypass);
48 76
}
49 77
#EXPORT start
test/haketilo_test/unit/test_haketilo_apis.py
1
# SPDX-License-Identifier: CC0-1.0
2

  
3
"""
4
Haketilo unit tests - exposing some special functionalities to injected scripts
5
"""
6

  
7
# This file is part of Haketilo
8
#
9
# Copyright (C) 2022 Wojtek Kosior <koszko@koszko.org>
10
#
11
# This program is free software: you can redistribute it and/or modify
12
# it under the terms of the CC0 1.0 Universal License as published by
13
# the Creative Commons Corporation.
14
#
15
# This program is distributed in the hope that it will be useful,
16
# but WITHOUT ANY WARRANTY; without even the implied warranty of
17
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18
# CC0 1.0 Universal License for more details.
19

  
20
import pytest
21
import json
22
from selenium.webdriver.support.ui import WebDriverWait
23

  
24
from ..script_loader import load_script
25
from ..world_wide_library import some_data
26

  
27
def content_script():
28
    return load_script('content/haketilo_apis.js') + ';\nstart();'
29

  
30
def background_script():
31
    return load_script('background/CORS_bypass_server.js') + ';\nstart();'
32

  
33
@pytest.mark.ext_data({
34
    'content_script': content_script,
35
    'background_script': background_script
36
})
37
@pytest.mark.usefixtures('webextension')
38
def test_haketilo_apis_CORS_bypass(driver):
39
    """
40
    Verify injected scripts will be able to bypass CORS with the help of
41
    Haketilo API.
42
    """
43
    driver.get('https://gotmyowndoma.in/')
44
    driver.execute_script(
45
        '''
46
        const fetch_arg = {
47
            url: "https://anotherdoma.in/resource/blocked/by/CORS.json",
48
            init: {}
49
        };
50

  
51
        const detail = {
52
            data: JSON.stringify(fetch_arg),
53
            id:   "abcdef"
54
        };
55

  
56
        window.addEventListener("haketilo_CORS_bypass-abcdef",
57
                                e => window.__response = e.detail);
58
        window.dispatchEvent(new CustomEvent("haketilo_CORS_bypass", {detail}));
59
        ''')
60

  
61
    get_response = lambda d: d.execute_script("return window.__response;")
62
    response = WebDriverWait(driver, 10).until(get_response)
63
    response = json.loads(response)
64

  
65
    assert response['body'] == some_data.encode().hex()
66
    assert response['status'] == 200
67
    assert type(response['headers']) is list

Also available in: Unified diff