Updated: Remove integrity checks (#66)

core/constants.js

@@ -75,7 +75,8 @@ const Setting = {
 const WebRequest = {
     'GET': 'GET',
     'BLOCKING': 'blocking',
-    'HEADERS': 'requestHeaders'
+    'HEADERS': 'requestHeaders',
+    'RESPONSE_HEADERS': 'responseHeaders'
 };
 
 const WebRequestType = {

core/interceptor.js

@@ -125,353 +125,7 @@ interceptor._handleStorageChanged = function (changes) {
  */
 
 // Temporary list of tainted domains.
-interceptor.taintedDomains = {
-    '10fastfingers.com': true,
-    'ack.net': true,
-    'adelnews.com': true,
-    'advocatepress.com': true,
-    'aledotimesrecord.com': true,
-    'alicetx.com': true,
-    'amarillo.com': true,
-    'amestrib.com': true,
-    'amtrib.com': true,
-    'apalachtimes.com': true,
-    'ardmoreite.com': true,
-    'augustachronicle.com': true,
-    'auroraadvertiser.net': true,
-    'barnesville-enterprise.com': true,
-    'barnstablepatriot.com': true,
-    'bcdemocratonline.com': true,
-    'beauregarddailynews.net': true,
-    'blog.datawrapper.de': true,
-    'blueridgenow.com': true,
-    'blufftontoday.com': true,
-    'boonevilledemocrat.com': true,
-    'boonvilledailynews.com': true,
-    [`br.span${'kb'}ang.com`]: true,
-    'brownwoodtx.com': true,
-    'buckscountycouriertimes.com': true,
-    'bundleofholding.com': true,
-    'burlingtoncountytimes.com': true,
-    'butlercountytimesgazette.com': true,
-    'cambridgechron.com': true,
-    'cantondailyledger.com': true,
-    'cantonrep.com': true,
-    'capecodtimes.com': true,
-    'captcha.realtek.com': true,
-    'carmitimes.com': true,
-    'cdnjs.com': true,
-    'cellmapper.net': true,
-    'charlestonexpress.com': true,
-    'cheboygannews.com': true,
-    'chieftain.com': true,
-    'chillicothenews.com': true,
-    'chillicothetimesbulletin.com': true,
-    'chipleypaper.com': true,
-    'chronicle-express.com': true,
-    'cjonline.com': true,
-    'code.world': true,
-    'columbiadailyherald.com': true,
-    'columbiatribune.com': true,
-    'courier-tribune.com': true,
-    'creativecommons.org': true,
-    'crestviewbulletin.com': true,
-    'crookstontimes.com': true,
-    'daily-jeff.com': true,
-    'dailycomet.com': true,
-    'dailycommercial.com': true,
-    'dansvilleonline.com': true,
-    'de.sharkoon.com': true,
-    [`de.span${'kb'}ang.com`]: true,
-    'devilslakejournal.com': true,
-    'dispatch.com': true,
-    'docs.servicenow.com': true,
-    'dodgeglobe.com': true,
-    'donaldsonvillechief.com': true,
-    'doverpost.com': true,
-    'dropbox.com': true,
-    'eastpeoriatimescourier.com': true,
-    'echo-news.co.uk': true,
-    'echo-pilot.com': true,
-    'edinburgreview.com': true,
-    'ellwoodcityledger.com': true,
-    'en.sharkoon.com': true,
-    'enterprisenews.com': true,
-    'epey.com': true,
-    'es.sharkoon.com': true,
-    [`es.span${'kb'}ang.com`]: true,
-    'evoice.com': true,
-    'examiner-enterprise.com': true,
-    'examiner.net': true,
-    'fayobserver.com': true,
-    'fosters.com': true,
-    'fowlertribune.com': true,
-    'fr.sharkoon.com': true,
-    [`fr.span${'kb'}ang.com`]: true,
-    'freebusy.io': true,
-    'gadsdentimes.com': true,
-    'gainesville.com': true,
-    'galesburg.com': true,
-    'galvanews.com': true,
-    'gastongazette.com': true,
-    'gazetadopovo.com.br': true,
-    'gctelegram.com': true,
-    'gdt.oqlf.gouv.qc.ca': true,
-    'geneseorepublic.com': true,
-    'glowing-bear.org': true,
-    'goerie.com': true,
-    'goupstate.com': true,
-    'grandlakenews.com': true,
-    'granitefallsnews.com': true,
-    'greenwooddemocrat.com': true,
-    'hamburgreporter.com': true,
-    'hannibal.net': true,
-    'havenews.com': true,
-    'hdnews.net': true,
-    'helena-arkansas.com': true,
-    'heralddemocrat.com': true,
-    'heraldnews.com': true,
-    'heraldtribune.com': true,
-    'hillsdale.net': true,
-    'hockessincommunitynews.com': true,
-    'hollandsentinel.com': true,
-    'houmatoday.com': true,
-    'hsvvoice.com': true,
-    'hutchnews.com': true,
-    'ico.org.uk': true,
-    [`id.span${'kb'}ang.com`]: true,
-    'identi.ca': true,
-    [`in.span${'kb'}ang.com`]: true,
-    'indeonline.com': true,
-    'it.sharkoon.com': true,
-    [`it.span${'kb'}ang.com`]: true,
-    'ja.sharkoon.com': true,
-    'jacksonnewspapers.com': true,
-    'jacksonville.com': true,
-    'jdnews.com': true,
-    'journaldemocrat.com': true,
-    'journalstandard.com': true,
-    [`jp.span${'kb'}ang.com`]: true,
-    'kinston.com': true,
-    'kiowacountysignal.com': true,
-    'kirksvilledailyexpress.com': true,
-    'ko.sharkoon.com': true,
-    [`la.span${'kb'}ang.com`]: true,
-    'labdoor.com': true,
-    'lajuntatribunedemocrat.com': true,
-    'lakenewsonline.com': true,
-    'laziska.com.pl': true,
-    'leavenworthtimes.com': true,
-    'leesvilledailyleader.com': true,
-    'lemon-aid.de': true,
-    'lenconnect.com': true,
-    'leominsterchamp.com': true,
-    'lincolncourier.com': true,
-    'linkbostonhomes.com': true,
-    'linncountyleader.com': true,
-    'lubbockonline.com': true,
-    'm-ce.pl': true,
-    'manualslib.com': true,
-    'mcdonoughvoice.com': true,
-    'mcphersonsentinel.com': true,
-    'meslieux.paris.fr': true,
-    'metrowestdailynews.com': true,
-    'mexicoledger.com': true,
-    'mgm.gov.tr': true,
-    'miamiok.com': true,
-    'middletowntranscript.com': true,
-    'midlothianmirror.com': true,
-    'milfordbeacon.com': true,
-    'milforddailynews.com': true,
-    'millburysutton.com': true,
-    'minigames.mail.ru': true,
-    'miniquadtestbench.com': true,
-    'moberlymonitor.com': true,
-    'mojbytom.pl': true,
-    'mojchorzow.pl': true,
-    'mojegliwice.pl': true,
-    'mojekatowice.pl': true,
-    'mojetychy.pl': true,
-    'mojmikolow.pl': true,
-    'monroecopost.com': true,
-    'monroenews.com': true,
-    'montenews.com': true,
-    'morningsun.net': true,
-    'mortontimesnews.com': true,
-    'moscowvillager.com': true,
-    'mpnnow.com': true,
-    [`ms.span${'kb'}ang.com`]: true,
-    'mtshastanews.com': true,
-    'mytownneo.com': true,
-    'ncnewspress.com': true,
-    'neagle.com': true,
-    'neoshodailynews.com': true,
-    'nevadaiowajournal.com': true,
-    'newbernsj.com': true,
-    'newcomerstown-news.com': true,
-    'newlook.dteenergy.com': true,
-    'newportri.com': true,
-    'news-journalonline.com': true,
-    'news-star.com': true,
-    'newschief.com': true,
-    'newsherald.com': true,
-    'newsrepublican.com': true,
-    'newstribune.info': true,
-    'nhm.ac.uk': true,
-    'nl.sharkoon.com': true,
-    [`nl.span${'kb'}ang.com`]: true,
-    'northneighbornews.com': true,
-    'norwichbulletin.com': true,
-    'nwfdailynews.com': true,
-    'oakridger.com': true,
-    'ocala.com': true,
-    'ohio.com': true,
-    'olneydailymail.com': true,
-    'onlineathens.com': true,
-    'opavote.com': true,
-    'opendata.cbs.nl': true,
-    'openweathermap.org': true,
-    'oriongazette.com': true,
-    'orzesze.com.pl': true,
-    'ottawaherald.com': true,
-    'palmbeachpost.com': true,
-    'paris-express.com': true,
-    'patriotledger.com': true,
-    'pawhuskajournalcapital.com': true,
-    'pbcommercial.com': true,
-    'pekintimes.com': true,
-    'piekaryslaskie.com.pl': true,
-    'pjstar.com': true,
-    'pl.sharkoon.com': true,
-    [`pl.span${'kb'}ang.com`]: true,
-    'poconorecord.com': true,
-    'poedb.tw': true,
-    'pontiacdailyleader.com': true,
-    'postsouth.com': true,
-    'pratttribune.com': true,
-    'pressargus.com': true,
-    'pressmentor.com': true,
-    'progress-index.com': true,
-    'prosperpressnews.com': true,
-    'providencejournal.com': true,
-    'pt.sharkoon.com': true,
-    [`pt.span${'kb'}ang.com`]: true,
-    'pyskowice.com.pl': true,
-    'qwertee.com': true,
-    'record-courier.com': true,
-    'recordnet.com': true,
-    'recordonline.com': true,
-    'recordstar.com': true,
-    'redwoodfallsgazette.com': true,
-    'regentgreymouth.co.nz': true,
-    'registerguard.com': true,
-    'report-uri.io': true,
-    'reviewatlas.com': true,
-    'ridgecrestca.com': true,
-    'rrstar.com': true,
-    'ru.sharkoon.com': true,
-    [`ru.span${'kb'}ang.com`]: true,
-    'rudaslaska.com.pl': true,
-    'runnelscountyregister.com': true,
-    'rybnicki.com': true,
-    'salina.com': true,
-    'savannahnow.com': true,
-    'scan.nextcloud.com': true,
-    'scotthelme.co.uk': true,
-    'scsuntimes.com': true,
-    [`se.span${'kb'}ang.com`]: true,
-    'seacoastonline.com': true,
-    'securityheaders.com': true,
-    'securityheaders.io': true,
-    'sekvoice.com': true,
-    'sentinel-standard.com': true,
-    'shelbystar.com': true,
-    'siemianowice.net.pl': true,
-    'signal.org': true,
-    'siskiyoudaily.com': true,
-    'sj-r.com': true,
-    'sjnewsonline.com': true,
-    'sleepyeyenews.com': true,
-    'somiibo.com': true,
-    'sooeveningnews.com': true,
-    'sosnowiecki.pl': true,
-    'southcoasttoday.com': true,
-    [`span${'kb'}ang.com`]: true,
-    'srpressgazette.com': true,
-    'stadium.se': true,
-    'starcourier.com': true,
-    'starfl.com': true,
-    'starnewsonline.com': true,
-    'statesman.com': true,
-    'staugustine.com': true,
-    'stefansundin.github.io': true,
-    'steubencourier.com': true,
-    'stjamesnews.com': true,
-    'sturgisjournal.com': true,
-    'stuttgartdailyleader.com': true,
-    'swiony.pl': true,
-    'swtimes.com': true,
-    'taftmidwaydriller.com': true,
-    'tauntongazette.com': true,
-    'telegram.com': true,
-    'teutopolispress.com': true,
-    [`th.span${'kb'}ang.com`]: true,
-    'the-daily-record.com': true,
-    'the-dispatch.com': true,
-    'the-leader.com': true,
-    'the-review.com': true,
-    'thecarbondalenews.com': true,
-    'thedailyreporter.com': true,
-    'thedestinlog.com': true,
-    'thegraftonnews.com': true,
-    'thegurdontimes.com': true,
-    'thehawkeye.com': true,
-    'theintell.com': true,
-    'thekansan.com': true,
-    'thelandmark.com': true,
-    'theledger.com': true,
-    'theperrychief.com': true,
-    'therecordherald.com': true,
-    'therolladailynews.com': true,
-    'thesuburbanite.com': true,
-    'thetimesnews.com': true,
-    'thisweeknews.com': true,
-    'times-gazette.com': true,
-    'timescale.com': true,
-    'timesonline.com': true,
-    'timesreporter.com': true,
-    'timestelegram.com': true,
-    'topsailadvertiser.com': true,
-    'tr.sharkoon.com': true,
-    [`tr.span${'kb'}ang.com`]: true,
-    'transcend-info.com': true,
-    'tuscaloosanews.com': true,
-    'udacity.com': true,
-    'uticaod.com': true,
-    'vanalstyneleader.com': true,
-    'vvdailypress.com': true,
-    'waltonsun.com': true,
-    'washingtontimesreporter.com': true,
-    'waxahachietx.com': true,
-    'wayneindependent.com': true,
-    'waynepost.com': true,
-    'weeklycitizen.com': true,
-    'wellingtondailynews.com': true,
-    'wellsvilledaily.com': true,
-    'whitehalljournal.com': true,
-    'wodzislaw.com.pl': true,
-    'woodfordtimes.com': true,
-    'worcestermag.com': true,
-    'yadi.sk': true,
-    'yelp.com': true,
-    'yourglenrosetx.com': true,
-    'yourstephenvilletx.com': true,
-    'yourvalleyvoice.com': true,
-    'yourvotematters.co.uk': true,
-    'zabrze.com.pl': true,
-    'zh-hant.sharkoon.com': true,
-    'zory.com.pl': true
-};
+interceptor.taintedDomains = {};
 
 interceptor.amountInjected = 0;
 interceptor.xhrTestDomain = Address.DECENTRALEYES;

core/state-manager.js

@@ -281,6 +281,54 @@ stateManager._setIconDisabled = function (tabIdentifier) {
     });
 };
 
+stateManager._getContentType = function (headers) {
+
+    // by Jaap (https://gitlab.com/Jaaap)
+    for (let header of headers) {
+        if (header.name.toLowerCase() === "content-type") { //"text/html; charset=UTF-8"
+            return {
+                mimeType: header.value.replace(/;.*/, '').toLowerCase(),
+                charset: /charset\s*=/.test(header.value) ? header.value.replace(/^.*?charset\s*=\s*/, '') : 'UTF-8'
+            };
+        }
+    }
+    return { mimeType: '', charset: '' };
+};
+
+stateManager._removeCrossoriginAndIntegrityAttr = function (details) {
+
+    // by Jaap (https://gitlab.com/Jaaap)
+    let { mimeType, charset } = stateManager._getContentType(details.responseHeaders);
+
+    let initiatorDomain = helpers.extractDomainFromUrl(details.url, true) || Address.EXAMPLE;
+    let isWhitelisted = requestAnalyzer.whitelistedDomains[initiatorDomain];
+    let cdnDomainsRE = new RegExp("//(" + Object.keys(mappings).map(m => m.replace(/\W/g, '\\$&')).join('|') + ")/");
+
+    if (!isWhitelisted && mimeType === "text/html") {
+        let decoder = new TextDecoder(charset);
+        let encoder = new TextEncoder();
+
+        let filter = browser.webRequest.filterResponseData(details.requestId);
+
+        //Note that this will not work if the '<script crossorigin="anonymous" src="dfgsfgd.com">' string is divided into two chunks, but we want to flush this data asap.
+        filter.ondata = evt => {
+            //remove crossorigin and integrity attributes
+            let str = decoder.decode(evt.data, {stream: true}).replace(/<(link|script)[^>]+>/ig, m => {
+                if (cdnDomainsRE.test(m))
+                    return m.replace(/\s+(integrity|crossorigin)(="[^"]*"|='[^']*'|=[^"'`=\s]+|)/ig, "");
+                return m;
+            });
+            filter.write(encoder.encode(str));
+        }
+
+        filter.onstop = evt => {
+            let str = decoder.decode(); // end-of-stream
+            filter.write(encoder.encode(str));
+            filter.close();
+        }
+    }
+};
+
 /**
  * Initializations
  */
@@ -319,30 +367,6 @@ chrome.storage.local.get(Setting.SHOW_ICON_BADGE, function (items) {
     stateManager.showIconBadge = items.showIconBadge;
 });
 
-stateManager._removeCrossoriginAndIntegrityAttr = function (details) {
-
-    // by Jaap (https://gitlab.com/Jaaap)
-    let filter = chrome.webRequest.filterResponseData(details.requestId);
-    let decoder = new TextDecoder("utf-8"); //FIXME: get content-encoding from headers
-    let encoder = new TextEncoder();
-
-    filter.ondata = evt => {
-        //remove crossorigin and integrity attributes
-        //Note that this will not work if the crossorigin="anonymous" string is divided into two chunks, but we want to flush this data asap.
-        let str = decoder.decode(evt.data, {stream: true})
-            .replace(/<(link|script)[^>]+>/ig, m => m.replace(/\s+(integrity|crossorigin)(="[^"]*"|='[^']*'|=[^"'`=\s]+|)/ig, ""));
-        filter.write(encoder.encode(str));
-    }
-
-    filter.onstop = evt => {
-        let str = decoder.decode(); // end-of-stream
-        filter.write(encoder.encode(str));
-
-        filter.close();
-    }
-}
-
-
 /**
  * Event Handlers
  */
@@ -350,9 +374,14 @@ stateManager._removeCrossoriginAndIntegrityAttr = function (details) {
 chrome.tabs.onCreated.addListener(stateManager._createTab);
 chrome.tabs.onRemoved.addListener(stateManager._removeTab);
 
+chrome.webRequest.onHeadersReceived.addListener(function (response) {
+
+        stateManager._removeCrossoriginAndIntegrityAttr(response)
+
+}, {'types': [WebRequestType.MAIN_FRAME], 'urls': [Address.ANY]}, [WebRequest.BLOCKING, WebRequest.RESPONSE_HEADERS]);
+
 chrome.webRequest.onBeforeRequest.addListener(function (requestDetails) {
 
-    stateManager._removeCrossoriginAndIntegrityAttr(requestDetails);
     if (requestDetails.tabId !== -1 && stateManager.tabs[requestDetails.tabId]) {
 
         stateManager.tabs[requestDetails.tabId].details = {