Commit 0ffa51ee authored by spenibus's avatar spenibus

activation whitelist fully implemented

parent b5351c72
......@@ -32,13 +32,18 @@ A basic [CORS][6] test is available in the repository at `./_test/cors-everywher
Intended for developers. Use at your own risk.
Preferences
-----------
Options
-------
Available in about:addons.
- `enabledAtStartup` : Enables this addon on startup
- `staticOrigin` : Forces the value of the `Origin` header
- `Enabled at startup`
Enables this addon on startup.
- `Force value of "access-control-allow-origin"`
Self explanatory.
- `Activation whitelist`
When the addon is enabled, this will check the origin url against the whitelist
to decide if headers will be modified. Uses regular expressions.
FAQ
......
......@@ -192,74 +192,100 @@ var spenibus_corsEverywhere = {
// get transaction
let transaction = spenibus_corsEverywhere.transactions[response.requestId];
// store transaction response
transaction.response = response;
// processing flag
let doProcess = true;
// shorthand access to response headers
for(let header of response.responseHeaders) {
transaction.responseHeaders[header.name.toLowerCase()] = header;
}
// check activation whitelist
if(spenibus_corsEverywhere.activationWhitelistEnabled) {
// create response headers if necessary
for(let name of [
'access-control-allow-origin'
,'access-control-allow-methods'
,'access-control-allow-headers'
,'access-control-allow-credentials'
]) {
// header exists, skip
if(transaction.responseHeaders[name]) {
continue;
}
// disable flag
doProcess = false;
// create header
let header = {
name : name
,value : "null"
};
for(let filter of spenibus_corsEverywhere.prefs.activationWhitelist) {
// update response
transaction.response.responseHeaders.push(header)
// looks like I don't need to do any escaping, cool
let pattern = filter.match(/^\/(.*)\/([a-z]*)$/i);
pattern = new RegExp(pattern[1], pattern[2]);
// update shorthand
transaction.responseHeaders[name] = header;
// stop at first match, enable f1ag
if(transaction.request.originUrl.match(pattern)) {
doProcess = true;
break;
}
}
}
// set "access-control-allow-origin", prioritize "origin" else "*"
transaction.responseHeaders['access-control-allow-origin'].value =
transaction.requestHeaders['origin']
&& transaction.requestHeaders['origin'].value !== null
? transaction.requestHeaders['origin'].value
: '*';
// set "access-control-allow-methods"
if(
transaction.requestHeaders['access-control-request-method']
&& transaction.requestHeaders['access-control-request-method'].value !== null
) {
transaction.responseHeaders['access-control-allow-methods'].value =
transaction.requestHeaders['access-control-request-method'].value
}
// modify the headers
if(doProcess) {
// set "access-control-allow-headers"
if(
transaction.requestHeaders['access-control-request-headers']
&& transaction.requestHeaders['access-control-request-headers'].value !== null
) {
transaction.responseHeaders['access-control-allow-headers'].value =
transaction.requestHeaders['access-control-request-headers'].value
}
// store transaction response
transaction.response = response;
// shorthand access to response headers
for(let header of response.responseHeaders) {
transaction.responseHeaders[header.name.toLowerCase()] = header;
}
// set "access-control-allow-credentials"
transaction.responseHeaders['access-control-allow-credentials'].value = "true";
// create response headers if necessary
for(let name of [
'access-control-allow-origin'
,'access-control-allow-methods'
,'access-control-allow-headers'
,'access-control-allow-credentials'
]) {
// header exists, skip
if(transaction.responseHeaders[name]) {
continue;
}
// create header
let header = {
name : name
,value : "null"
};
// update response
transaction.response.responseHeaders.push(header)
// update shorthand
transaction.responseHeaders[name] = header;
}
// set "access-control-allow-origin", prioritize "origin" else "*"
transaction.responseHeaders['access-control-allow-origin'].value =
transaction.requestHeaders['origin']
&& transaction.requestHeaders['origin'].value !== null
? transaction.requestHeaders['origin'].value
: '*';
// set "access-control-allow-methods"
if(
transaction.requestHeaders['access-control-request-method']
&& transaction.requestHeaders['access-control-request-method'].value !== null
) {
transaction.responseHeaders['access-control-allow-methods'].value =
transaction.requestHeaders['access-control-request-method'].value
}
// set "access-control-allow-headers"
if(
transaction.requestHeaders['access-control-request-headers']
&& transaction.requestHeaders['access-control-request-headers'].value !== null
) {
transaction.responseHeaders['access-control-allow-headers'].value =
transaction.requestHeaders['access-control-request-headers'].value
}
// set "access-control-allow-credentials"
transaction.responseHeaders['access-control-allow-credentials'].value = "true";
}
// delete transaction
delete spenibus_corsEverywhere.transactions[response.requestId];
// apply modifications
// return headers
return {
responseHeaders: transaction.response.responseHeaders
,statusCode : 777
};
}
};
......
......@@ -2,7 +2,7 @@
"manifest_version" : 2
,"name" : "CORS Everywhere"
,"version" : "18.5.23.1849"
,"version" : "18.5.30.1840"
,"author" : "spenibus"
,"description" : "Bypass CORS restrictions by altering http responses."
......
......@@ -22,12 +22,13 @@
<input type="text" id="staticOrigin" placeholder="disabled">
</fieldset>
<fieldset>
<legend>Activation whitelist [UNDER DEVELOPMENT]</legend>
<legend>Activation whitelist</legend>
<div>
Specify on which host url the addon will activate.
Specify on which origin url the addon will activate.
Default is empty and activates everywhere.
One filter per line.
This uses regular expressions (ex: /^https?...localhost:8080\//i).
The addon must still be enabled first.
</div>
<textarea rows="5" style="width:100%;" placeholder="no filter" id="activationWhitelist"></textarea>
</fieldset>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment