From e6a5de1683f7eb8fdeeb944f4de170b06b44941a Mon Sep 17 00:00:00 2001 From: Raymond Hill Date: Tue, 6 Mar 2018 12:24:48 -0500 Subject: [PATCH] Guard web accessible resources from direct access by outside world With Chromium-based browsers, web pages can access directly Decentraleyes' web accessible resources, and thus detect whether Decentraleyes is used by a visitor. This potentially adds one bit of information to fingerprinting. See: "Discovering Browser Extensions via Web Accessible Resources" www.cse.chalmers.se/~andrei/codaspy17.pdf Proof-of-concept: https://jsfiddle.net/fuqrudcs/ The change here is to use a secret when accessing a web accessible resource. If the secret is not present when the resource is fetched by the browser, the behavior will be the same as if the resource is not web accessible. When Decentraleyes redirects a request to one of its web accessible resources, the secret is appended at the end of the local URL as a query parameter. The secret is generated at runtime when Decentraleyes is launched. --- core/interceptor.js | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/core/interceptor.js b/core/interceptor.js index b8a06cb..7beff4f 100644 --- a/core/interceptor.js +++ b/core/interceptor.js @@ -111,7 +111,7 @@ interceptor._handleMissingCandidate = function (requestUrl) { requestUrl = requestUrlSegments.toString(); return { - 'redirectUrl': requestUrl + 'redirectUrl': requestUrl + interceptor.warSecret }; } else { @@ -147,3 +147,22 @@ chrome.storage.local.get([Setting.AMOUNT_INJECTED, Setting.BLOCK_MISSING], funct */ chrome.storage.onChanged.addListener(interceptor._handleStorageChanged); + +/** + * Guard web accessible resources from direct access by web pages + */ + +interceptor.warSecret = '?_=' + + Math.floor(Math.random() * 982451653 + 982451653).toString(36) + + Math.floor(Math.random() * 982451653 + 982451653).toString(36); + +chrome.webRequest.onBeforeRequest.addListener( + function(requestDetails) { + + if (!requestDetails.url.endsWith(interceptor.warSecret)) { + return { redirectUrl: chrome.runtime.getURL('/') }; + } + }, + {'urls': [chrome.runtime.getURL('/') + 'resources/*']}, + [WebRequest.BLOCKING] +);