Google Git
Sign in
gerrit / gerrit-fe-dev-helper / 1a133456602942f1d0b24d62765cbed6012240f9^! / .
commit1a133456602942f1d0b24d62765cbed6012240f9[log] [tgz]
authorAntoine Musso <hashar@free.fr>Thu Mar 23 11:57:14 2023 +0100
committerAntoine Musso <hashar@free.fr>Thu Mar 23 11:57:14 2023 +0100
tree9fc8e8de116fd1533af13db4724b687c2265d597
parentaffce278661cc224f253d39d1baaf222a6fce6eb [diff]
Fix CORS preflight interception

With Chromium 111 I have noticed the built-in rule to add
`Access-Control-Allow-Origin=*` to response headers was ineffective
which can easily be worked around by emitting it from web server serving
the plugins.

The plugin I wrote fetches from a foreign resource which triggers a
preflight request. Since the browser extension always inject
`Cache-Control` the preflight request is emitted with:

    Allow-Control-Request-Headers: cache-control

The browser then expect the response to contain:

    Allow-Control-Response-Headers: cache-control

That again can be fixed via the web server until one interact with a
server they have no control on (eg a production service).

What I found out is the `addReqHeader` and `addRespHeader` functions are
not effective for preflight requests. The rules are handled listener
methods added via:
- chrome.webRequest.onBeforeRequest.addListener
- chrome.webRequest.onHeadersReceived.addListener

The WebRequest API does not intercept preflights requests, the events
are thus never fired, the listeners never kick in and none of our
extension rules are applied. This result in a cascading list of error
such as missing `Access-Control-Allow-Origin: *`.

The root cause is Chrome 79 as described on the WebRequest API page:
https://developer.chrome.com/docs/extensions/reference/webRequest/

> Starting from Chrome 79, the webRequest API *does not* intercept CORS
> preflight requests and responses by default. A CORS preflight for a
> request URL is visible to an extension if there is a listener with
> `'extraHeaders'` specified in `opt_extraInfoSpec` for the request URL.
> `onBeforeRequest` can also take 'extraHeaders' from Chrome 79.

Add the 'extraHeaders' to `onBeforeRequest` fixes the preflight
requests and cause events to be fired thus restoring the headers
injection.

Bug: Issue 16795
Change-Id: Ic25427dd65ad03d0ba8e78eebf6d23cd35134af0

diff --git a/src/background.ts b/src/background.ts
index 215fe48..549e7ab 100644
--- a/src/background.ts
+++ b/src/background.ts

@@ -52,7 +52,6 @@
   if (!TabStates.has(resp.tabId)) {
     return {responseHeaders: resp.responseHeaders};
   }
-
   const matches = rules.filter(isValidRule)
                     .filter(
                         rule => rule.operator === Operator.REMOVE_RESPONSE_HEADER
@@ -175,7 +174,7 @@
 
   // blocking or redirecting
   chrome.webRequest.onBeforeRequest.addListener(
-      onBeforeRequest, {urls: ['<all_urls>']}, ['blocking']);
+      onBeforeRequest, {urls: ['<all_urls>']}, ['blocking', 'extraHeaders']);
 
   // disabling cache
   chrome.webRequest.onBeforeSendHeaders.addListener(