Skip to content
This repository has been archived by the owner on Nov 6, 2023. It is now read-only.

Add upgrade-insecure-requests to responseHeaders in HTTP Nowhere Mode #14600

Merged
merged 5 commits into from
Feb 15, 2018
Merged

Add upgrade-insecure-requests to responseHeaders in HTTP Nowhere Mode #14600

merged 5 commits into from
Feb 15, 2018

Conversation

cschanaj
Copy link
Collaborator

@cschanaj cschanaj commented Feb 11, 2018

cc @Hainish @gloomy-ghost It would be really great to see this in the next release.

TEST CASES

  1. CSP Exists, Contains upgrade-insecure-requests directive
  1. CSP Exists, Not Contains upgrade-insecure-requests directive
  1. CSP Not Exists, With mixed content
  1. CSP Not Exists, Without mixed content

Follow up: Should we modify the CORS headers as well??

Close #8506 Close cschanaj/https-everywhere/pull/13

@Bisaloo
Copy link
Collaborator

Bisaloo commented Feb 11, 2018

Built and tested with http://www.gsu.edu/about/. Good job! 👍

@ghost
Copy link

ghost commented Feb 13, 2018

@cschanaj If Content-Security-Policy header already exists, you should modify it instead of adding a new one.

@ghost
Copy link

ghost commented Feb 13, 2018

@cschanaj I've created a PR in your repo. Check it out.

@cschanaj
Copy link
Collaborator Author

@epicminecrafting is there any new feature in the code you proposed? since the code is relatively short, I am not going to bother with the coding style here.

@ghost
Copy link

ghost commented Feb 13, 2018

@cschanaj Just minor fixes, like appending instead of prepending and simpler and faster case-ignoring comparision.

@Hainish
Copy link
Member

Hainish commented Feb 14, 2018

@cschanaj I can review as-is or wait for you to merge @epicminecrafting's changes. Please advise.

@cschanaj
Copy link
Collaborator Author

@Hainish Please review this as-is. thanks!

* @param details details for the chrome.webRequest (see chrome doc)
*/
function onHeadersReceived(details) {
if (isExtensionEnabled && httpNowhereOn) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There may be a wild edge case here. In

const shouldCancel = httpNowhereOn &&
uri.protocol === 'http:' &&
uri.hostname.slice(-6) !== '.onion' &&
uri.hostname !== 'localhost' &&
!/^127(\.[0-9]{1,3}){3}$/.test(canonical_host) &&
!/^0\.0\.0\.0$/.test(canonical_host) &&
uri.hostname !== '[::1]';
, we specifically allow .onion URLs that do not have HTTPS in HTTP Nowhere mode. If a .onion URL serves only one page in HTTPS, and the rest are over HTTP, landing on that page with this logic will cause the client to make unreachable upgraded requests over HTTPS.

As I said, it's a pretty far-fetched edge case (why would a .onion site have a TLS configuration like that?) but it is possible, and probably worth accounting for.

Copy link
Collaborator Author

@cschanaj cschanaj Feb 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. Since .onion requests are encrypted anyway, IMHO we shall exclude them from the HTTPS upgrades, see e4b17e8

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think requests to non-.onion websites should still be upgraded if they were made from .onion website.

// See https://github.com/EFForg/https-everywhere/pull/14600#discussion_r168072480
const uri = new URL(details.url);
if (uri.hostname.slice(-6) == '.onion') {
return {responseHeaders: details.responseHeaders};
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return {};

return {responseHeaders: details.responseHeaders};
}

for (const idx in details.responseHeaders) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't use a for loop, use find function.

@cschanaj
Copy link
Collaborator Author

cschanaj commented Feb 14, 2018

As per the Chrome's docs in https://developer.chrome.com/extensions/webRequest#type-HttpHeaders

... Only return responseHeaders if you really want to modify the headers in order to limit the number of conflicts (only one extension may modify responseHeaders for each request).

@epicminecrafting fixed in 9541530; as for loop vs find, I don't think there is much difference. Thanks anyway.

@ghost
Copy link

ghost commented Feb 14, 2018

@cschanaj There is, declarative programming over imperative one.

@Hainish Hainish merged commit 8e97e50 into EFForg:master Feb 15, 2018
@Hainish
Copy link
Member

Hainish commented Feb 15, 2018

Thank you!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants