fix vulnerability

Accidentally introduced in 0.8.0, as part of the mechanism that handles non-standard redirections to HTTP (#24). Without this fix, a malicious endpoint with a valid certificate could trick the extension into adding a site of its choice to the ignore list. 0.8.0 went live about a month ago, and this vulnerability is not known to have been exploited during that period.
claustromaniac · Jul 13, 2019 · 68b8631 · 68b8631
1 parent 1215334
commit 68b8631
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 15 deletions.
diff --git a/src/bg/webRequest.js b/src/bg/webRequest.js
@@ -69,17 +69,16 @@ webReq.onBeforeRequest.addListener(d => {
 		!isReservedAddress(url.hostname)
 	) {
 		if (tabsData[d.tabId].loading) {
-			ignore(url.hostname);
+			ignore(tabsData[d.tabId].loading);
 			delete tabsData[d.tabId].loading;
-		} else {
-			url.protocol = 'https:';
-			processed.add(url.hostname);
-			stackCleaner.run();
-			if (sAPI.maxWait) tabsData[d.tabId].timerID = setTimeout(() => {
-				downgrade(url, d);
-			}, sAPI.maxWait*1000);
-			return {redirectUrl: url.toString()}
 		}
+		url.protocol = 'https:';
+		processed.add(url.hostname);
+		stackCleaner.run();
+		if (sAPI.maxWait) tabsData[d.tabId].timerID = setTimeout(() => {
+			downgrade(url, d);
+		}, sAPI.maxWait*1000);
+		return {redirectUrl: url.toString()}
 	}
 }, filter, ['blocking']);
 
@@ -114,8 +113,10 @@ webReq.onBeforeRedirect.addListener(d => {
 }, filter);
 
 webReq.onResponseStarted.addListener(d => {
+	// triggered when an https response starts
+	// required only as part of the mechanism that detects non-standard redirections to http
 	const url = new URL(d.url);
-	if (processed.has(url.hostname)) tabsData[d.tabId].loading = true;
+	if (processed.has(url.hostname)) tabsData[d.tabId].loading = url.hostname;
 }, sfilter);
 
 webReq.onCompleted.addListener(d => {

diff --git a/src/cs.js b/src/cs.js
@@ -1,8 +1,6 @@
 (() => {
 	'use strict';
-	window.addEventListener('load', e => {
-		browser.runtime.sendMessage({
-			tabLoaded: true
-		});
+	browser.runtime.sendMessage({
+		tabLoaded: true
 	});
 })();
diff --git a/src/manifest.json b/src/manifest.json
@@ -17,7 +17,7 @@
 		{
 			"matches": ["https://*/*"],
 			"js": ["cs.js"],
-			"run_at": "document_start"
+			"run_at": "document_end"
 		}
 	],
 	"description": "Zapping those inZecure connections into sublime submission since ~2018.",