From 4a81bf1af3a64c2e634d768867b9602ceb69782f Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Sat, 4 Apr 2020 01:33:45 +0200 Subject: [PATCH] refactor: remove code for "blessing" custom webui This restores the proper way of opening webui in version provided by IPFS node. Context: Before subdomain gateway support was added, we loaded webui from gateway port. Why? API port has a hardcoded list of whitelisted webui versions and it is not possible to load non-whitelisted CID when new webui was released. To enable API access from webui loaded via Gateway port, the Companion extension removed Origin header for requests coming from its background page. This let us avoid the need for manual CORS setup, but was seen in the diff, was pretty complex process. Webui is stable now, so to decrease maintenance burden we move away from that complexity and just load version whitelisted on API port. What if someone wants to run newest webui? They can now load it from webui.ipfs.io.ipns.localhost:8080 (whitelist API access from that specific Origin by appending it to API.HTTPHeaders.Access-Control-Allow-Origin in go-ipfs config) Closes #736 --- add-on/src/lib/dnslink.js | 8 +- add-on/src/lib/ipfs-companion.js | 19 +-- add-on/src/lib/ipfs-request.js | 137 +++--------------- add-on/src/lib/precache.js | 5 +- add-on/src/lib/state.js | 20 --- package.json | 5 +- .../lib/ipfs-request-workarounds.test.js | 75 +++------- yarn.lock | 71 ++++++--- 8 files changed, 112 insertions(+), 228 deletions(-) diff --git a/add-on/src/lib/dnslink.js b/add-on/src/lib/dnslink.js index de346476d..1c695e77c 100644 --- a/add-on/src/lib/dnslink.js +++ b/add-on/src/lib/dnslink.js @@ -125,7 +125,13 @@ module.exports = function createDnslinkResolver (getState) { let apiProvider // TODO: fix DNS resolver for ipfsNodeType='embedded:chromesockets', for now use ipfs.io if (!state.ipfsNodeType.startsWith('embedded') && state.peerCount !== offlinePeerCount) { - apiProvider = state.apiURLString + // Use gw port so it can be a GET: + // Chromium does not execute onBeforeSendHeaders for synchronous calls + // made from the same extension context as onBeforeSendHeaders + // which means we are unable to fixup Origin on the fly for this + // This will no longer be needed when we switch + // to async lookup via ipfs.dns everywhere + apiProvider = state.gwURLString } else { // fallback to resolver at public gateway apiProvider = 'https://ipfs.io/' diff --git a/add-on/src/lib/ipfs-companion.js b/add-on/src/lib/ipfs-companion.js index 47ef9fa25..7b2b49858 100644 --- a/add-on/src/lib/ipfs-companion.js +++ b/add-on/src/lib/ipfs-companion.js @@ -6,7 +6,6 @@ const log = debug('ipfs-companion:main') log.error = debug('ipfs-companion:main:error') const browser = require('webextension-polyfill') -const toMultiaddr = require('uri-to-multiaddr') const pMemoize = require('p-memoize') const { optionDefaults, storeMissingOptions, migrateOptions, guiURLString } = require('./options') const { initState, offlinePeerCount } = require('./state') @@ -107,7 +106,8 @@ module.exports = async function init () { function registerListeners () { const onBeforeSendInfoSpec = ['blocking', 'requestHeaders'] if (browser.webRequest.OnBeforeSendHeadersOptions && 'EXTRA_HEADERS' in browser.webRequest.OnBeforeSendHeadersOptions) { - // Chrome 72+ requires 'extraHeaders' for access to Referer header (used in cors whitelisting of webui) + // Chrome 72+ requires 'extraHeaders' for accessing all headers + // Note: we need this for code ensuring ipfs-http-client can talk to API without setting CORS onBeforeSendInfoSpec.push('extraHeaders') } browser.webRequest.onBeforeSendHeaders.addListener(onBeforeSendHeaders, { urls: [''] }, onBeforeSendInfoSpec) @@ -385,18 +385,6 @@ module.exports = async function init () { log.error(`Unable to linkify DOM at '${details.url}' due to`, error) } } - if (details.url.startsWith(state.webuiRootUrl)) { - // Ensure API backend points at one from IPFS Companion - const apiMultiaddr = toMultiaddr(state.apiURLString) - await browser.tabs.executeScript(details.tabId, { - runAt: 'document_start', - code: `if (!localStorage.getItem('ipfsApi')) { - console.log('[ipfs-companion] Setting API to ${apiMultiaddr}'); - localStorage.setItem('ipfsApi', '${apiMultiaddr}'); - window.location.reload(); - }` - }) - } } // API STATUS UPDATES @@ -615,6 +603,7 @@ module.exports = async function init () { case 'ipfsApiUrl': state.apiURL = new URL(change.newValue) state.apiURLString = state.apiURL.toString() + state.webuiRootUrl = `${state.apiURLString}webui/` shouldRestartIpfsClient = true break case 'ipfsApiPollMs': @@ -623,8 +612,6 @@ module.exports = async function init () { case 'customGatewayUrl': state.gwURL = new URL(change.newValue) state.gwURLString = state.gwURL.toString() - // TODO: for now we load webui from API port, should we remove this? - // state.webuiRootUrl = `${state.gwURLString}ipfs/${state.webuiCid}/` break case 'publicGatewayUrl': state.pubGwURL = new URL(change.newValue) diff --git a/add-on/src/lib/ipfs-request.js b/add-on/src/lib/ipfs-request.js index 7dca61366..1814078a0 100644 --- a/add-on/src/lib/ipfs-request.js +++ b/add-on/src/lib/ipfs-request.js @@ -43,27 +43,6 @@ function createRequestModifier (getState, dnslinkResolver, ipfsPathValidator, ru const isIgnored = (id) => ignoredRequests.get(id) !== undefined const errorInFlight = new LRU({ max: 3, maxAge: 1000 }) - const acrhHeaders = new LRU(requestCacheCfg) // webui cors fix in Chrome - const originUrls = new LRU(requestCacheCfg) // request.originUrl workaround for Chrome - const originUrl = (request) => { - // Firefox and Chrome provide relevant value in different fields: - // (Firefox) request object includes full URL of origin document, return as-is - if (request.originUrl) return request.originUrl - // (Chrome) is lacking: `request.initiator` is just the origin (protocol+hostname+port) - // To reconstruct originUrl we read full URL from Referer header in onBeforeSendHeaders - // and cache it for short time - // TODO: when request.originUrl is available in Chrome the `originUrls` cache can be removed - const cachedUrl = originUrls.get(request.requestId) - if (cachedUrl) return cachedUrl - if (request.requestHeaders) { - const referer = request.requestHeaders.find(h => h.name === 'Referer') - if (referer) { - originUrls.set(request.requestId, referer.value) - return referer.value - } - } - } - // Returns a canonical hostname representing the site from url // Main reason for this is unwrapping DNSLink from local subdomain // .ipns.localhost → @@ -208,63 +187,34 @@ function createRequestModifier (getState, dnslinkResolver, ipfsPathValidator, ru // Special handling of requests made to API if (sameGateway(request.url, state.apiURL)) { - // Requests made by 'blessed' Web UI - // -------------------------------------------- - // Goal: Web UI works without setting CORS at go-ipfs - // (Without this snippet go-ipfs will return HTTP 403 due to additional origin check on the backend) - const origin = originUrl(request) - if (origin && origin.startsWith(state.webuiRootUrl)) { - // console.log('onBeforeSendHeaders', request) - // console.log('onBeforeSendHeaders.origin', origin) - // Swap Origin to pass server-side check - // (go-ipfs returns HTTP 403 on origin mismatch if there are no CORS headers) - const swapOrigin = (at) => { - request.requestHeaders[at].value = request.requestHeaders[at].value.replace(state.gwURL.origin, state.apiURL.origin) - } - let foundAt = request.requestHeaders.findIndex(h => h.name === 'Origin') - if (foundAt > -1) swapOrigin(foundAt) - foundAt = request.requestHeaders.findIndex(h => h.name === 'Referer') - if (foundAt > -1) swapOrigin(foundAt) - - // Save access-control-request-headers from preflight - foundAt = request.requestHeaders.findIndex(h => h.name && h.name.toLowerCase() === 'access-control-request-headers') - if (foundAt > -1) { - acrhHeaders.set(request.requestId, request.requestHeaders[foundAt].value) - // console.log('onBeforeSendHeaders FOUND access-control-request-headers', acrhHeaders.get(request.requestId)) - } - // console.log('onBeforeSendHeaders fixed headers', request.requestHeaders) - } - + const { requestHeaders } = request // '403 - Forbidden' fix for Chrome and Firefox // -------------------------------------------- - // We remove Origin header from requests made to API URL and WebUI - // by js-ipfs-http-client running in WebExtension context to remove need - // for manual CORS whitelisting via Access-Control-Allow-Origin at go-ipfs + // We update "Origin: *-extension://" HTTP headers in requests made to API + // by js-ipfs-http-client running in the background page of browser + // extension. Without this, some users would need to do manual CORS + // whitelisting by adding "..extension://" to + // API.HTTPHeaders.Access-Control-Allow-Origin in go-ipfs config. + // With this, API calls made by browser extension look like ones made + // by webui loaded from the API port. // More info: // Firefox: https://github.com/ipfs-shipyard/ipfs-companion/issues/622 // Chromium 71: https://github.com/ipfs-shipyard/ipfs-companion/pull/616 // Chromium 72: https://github.com/ipfs-shipyard/ipfs-companion/issues/630 - const isWebExtensionOrigin = (origin) => { - // console.log(`origin=${origin}, webExtensionOrigin=${webExtensionOrigin}`) - // Chromium <= 71 returns opaque Origin as defined in - // https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin - if (origin == null || origin === 'null') { - return true - } - // Firefox Nightly 65 sets moz-extension://{extension-installation-id} - // Chromium Beta 72 sets chrome-extension://{uid} - if (origin && + + // Firefox Nightly 65 sets moz-extension://{extension-installation-id} + // Chromium Beta 72 sets chrome-extension://{uid} + const isWebExtensionOrigin = (origin) => + origin && (origin.startsWith('moz-extension://') || - origin.startsWith('chrome-extension://')) && - new URL(origin).origin === webExtensionOrigin) { - return true - } - return false - } + origin.startsWith('chrome-extension://')) && + new URL(origin).origin === webExtensionOrigin - // Remove Origin header matching webExtensionOrigin - const foundAt = request.requestHeaders.findIndex(h => h.name === 'Origin' && isWebExtensionOrigin(h.value)) - if (foundAt > -1) request.requestHeaders.splice(foundAt, 1) + // Replace Origin header matching webExtensionOrigin with API one + const foundAt = requestHeaders.findIndex(h => h.name === 'Origin' && isWebExtensionOrigin(h.value)) + if (foundAt > -1) { + requestHeaders[foundAt].value = state.apiURL.origin + } // Fix "http: invalid Read on closed Body" // ---------------------------------- @@ -277,7 +227,7 @@ function createRequestModifier (getState, dnslinkResolver, ipfsPathValidator, ru let addExpectHeader = true const expectHeader = { name: 'Expect', value: '100-continue' } const warningMsg = 'Executing "Expect: 100-continue" workaround for ipfs.add due to https://github.com/ipfs/go-ipfs/issues/5168' - for (const header of request.requestHeaders) { + for (const header of requestHeaders) { // Workaround A: https://github.com/ipfs/go-ipfs/issues/5168#issuecomment-401417420 // (works in Firefox, but Chromium does not expose Connection header) /* (disabled so we use the workaround B in all browsers) @@ -301,12 +251,10 @@ function createRequestModifier (getState, dnslinkResolver, ipfsPathValidator, ru } if (addExpectHeader) { log(warningMsg) - request.requestHeaders.push(expectHeader) + requestHeaders.push(expectHeader) } } - } - return { - requestHeaders: request.requestHeaders + return { requestHeaders } } }, @@ -317,41 +265,6 @@ function createRequestModifier (getState, dnslinkResolver, ipfsPathValidator, ru const state = getState() if (!state.active) return - // Special handling of requests made to API - if (sameGateway(request.url, state.apiURL)) { - // Special handling of requests made by 'blessed' Web UI from local Gateway - // Goal: Web UI works without setting CORS at go-ipfs - // (This includes 'ignored' requests: CORS needs to be fixed even if no redirect is done) - const origin = originUrl(request) - if (origin && origin.startsWith(state.webuiRootUrl) && request.responseHeaders) { - // console.log('onHeadersReceived', request) - const acaOriginHeader = { name: 'Access-Control-Allow-Origin', value: state.gwURL.origin } - const foundAt = findHeaderIndex(acaOriginHeader.name, request.responseHeaders) - if (foundAt > -1) { - request.responseHeaders[foundAt].value = acaOriginHeader.value - } else { - request.responseHeaders.push(acaOriginHeader) - } - - // Restore access-control-request-headers from preflight - const acrhValue = acrhHeaders.get(request.requestId) - if (acrhValue) { - const acahHeader = { name: 'Access-Control-Allow-Headers', value: acrhValue } - const foundAt = findHeaderIndex(acahHeader.name, request.responseHeaders) - if (foundAt > -1) { - request.responseHeaders[foundAt].value = acahHeader.value - } else { - request.responseHeaders.push(acahHeader) - } - acrhHeaders.del(request.requestId) - // console.log('onHeadersReceived SET Access-Control-Allow-Headers', header) - } - - // console.log('onHeadersReceived fixed headers', request.responseHeaders) - return { responseHeaders: request.responseHeaders } - } - } - // Skip if request is marked as ignored if (isIgnored(request.requestId)) { return @@ -651,10 +564,6 @@ function normalizedUnhandledIpfsProtocol (request, pubGwUrl) { } } -function findHeaderIndex (name, headers) { - return headers.findIndex(x => x.name && x.name.toLowerCase() === name.toLowerCase()) -} - // RECOVERY OF FAILED REQUESTS // =================================================================== diff --git a/add-on/src/lib/precache.js b/add-on/src/lib/precache.js index b300ffcbf..55753fb34 100644 --- a/add-on/src/lib/precache.js +++ b/add-on/src/lib/precache.js @@ -5,12 +5,15 @@ const drain = require('pull-stream/sinks/drain') const toStream = require('it-to-stream') const tar = require('tar-stream') const CID = require('cids') -const { webuiCid } = require('./state') const debug = require('debug') const log = debug('ipfs-companion:precache') log.error = debug('ipfs-companion:precache:error') +// Web UI release that should be precached +// WARNING: do not remove this constant, as its used in package.json +const webuiCid = 'Qmexhq2sBHnXQbvyP2GfUdbnY7HCagH2Mw5vUNSBn2nxip' // v2.7.2 + const PRECACHE_ARCHIVES = [ { tarPath: '/dist/precache/webui.tar', cid: webuiCid } ] diff --git a/add-on/src/lib/state.js b/add-on/src/lib/state.js index 992271ee4..e74ff3825 100644 --- a/add-on/src/lib/state.js +++ b/add-on/src/lib/state.js @@ -4,10 +4,6 @@ const { safeURL } = require('./options') const offlinePeerCount = -1 -// CID of a 'blessed' Web UI release -// which should work without setting CORS headers -const webuiCid = 'Qmexhq2sBHnXQbvyP2GfUdbnY7HCagH2Mw5vUNSBn2nxip' // v2.7.2 - function initState (options, overrides) { // we store options and some pregenerated values to avoid async storage // reads and minimize performance impact on overall browsing experience @@ -29,21 +25,6 @@ function initState (options, overrides) { state.gwURLString = state.gwURL.toString() delete state.customGatewayUrl state.dnslinkPolicy = String(options.dnslinkPolicy) === 'false' ? false : options.dnslinkPolicy - state.webuiCid = webuiCid - - // TODO: unify the way webui is opened - // - https://github.com/ipfs-shipyard/ipfs-companion/pull/737 - // - https://github.com/ipfs-shipyard/ipfs-companion/pull/738 - // Context: previously, we loaded webui from gateway port - // (`${state.gwURLString}ipfs/${state.webuiCid}/`) because API port - // has hardcoded list of whitelisted webui versions. - // To enable API access from webui loaded from Gateway port Companion - // removed Origin header to avoid CORS, now we move away from that - // complexity and for now just load version whitelisted on API port. - // In the future, we want to load webui from $webuiCid.ipfs.localhost - // and whitelist API access from that specific hostname - // by appending it to API.HTTPHeaders.Access-Control-Allow-Origin list - // When that is possible, we can remove Origin manipulation (see PR #737 for PoC) state.webuiRootUrl = `${state.apiURLString}webui/` // attach helper functions @@ -69,4 +50,3 @@ function initState (options, overrides) { exports.initState = initState exports.offlinePeerCount = offlinePeerCount -exports.webuiCid = webuiCid diff --git a/package.json b/package.json index 7fcb2f71c..50358ad27 100644 --- a/package.json +++ b/package.json @@ -29,7 +29,7 @@ "build:bundle-all": "cross-env RELEASE_CHANNEL=${RELEASE_CHANNEL:=dev} run-s bundle:chromium bundle:brave:$RELEASE_CHANNEL bundle:firefox:$RELEASE_CHANNEL", "build:rename-artifacts": "./scripts/rename-artifacts.js", "precache:clean": "shx rm -rf add-on/dist/precache", - "precache:webui:cid": "shx grep 'const webuiCid' add-on/src/lib/state.js | shx sed \"s/^const webuiCid = '//\" | shx sed \"s/'.*$//\"", + "precache:webui:cid": "shx grep 'const webuiCid' add-on/src/lib/precache.js | shx sed \"s/^const webuiCid = '//\" | shx sed \"s/'.*$//\"", "precache:webui": "shx mkdir -p add-on/dist/precache && ipfs-or-gateway -c $(npm run -s precache:webui:cid) -p add-on/dist/precache/webui.tar --archive", "bundle": "run-s bundle:*", "bundle:chromium": "run-s precache:webui && shx cat add-on/manifest.common.json add-on/manifest.chromium.json | json --deep-merge > add-on/manifest.json && web-ext build -a build/chromium && run-s build:rename-artifacts", @@ -140,7 +140,7 @@ "ipfs-postmsg-proxy": "3.1.1", "ipfsx": "0.17.0", "is-fqdn": "1.0.1", - "is-ipfs": "https://github.com/ipfs/is-ipfs/tarball/d5717e910d864d738faf39480897342c7cbf065d/is-ipfs.tar.gz", + "is-ipfs": "1.0.0", "is-svg": "4.2.0", "it-to-stream": "0.1.1", "lru-cache": "5.1.1", @@ -158,7 +158,6 @@ "tachyons": "4.11.1", "tar-stream": "2.1.2", "timers-browserify-full": "0.0.1", - "uri-to-multiaddr": "3.0.1", "webextension-polyfill": "0.6.0", "webrtc-ips": "0.1.4" }, diff --git a/test/functional/lib/ipfs-request-workarounds.test.js b/test/functional/lib/ipfs-request-workarounds.test.js index fb9a74b97..4083aa5af 100644 --- a/test/functional/lib/ipfs-request-workarounds.test.js +++ b/test/functional/lib/ipfs-request-workarounds.test.js @@ -105,8 +105,9 @@ describe('modifyRequest processing', function () { }) }) - describe('a request to /api/v0/ with Origin=moz-extension://{extension-installation-id}', function () { - it('should remove Origin header with moz-extension://', async function () { + describe('a request to /api/v0/ made with extension:// Origin', function () { + it('should have it replaced with API one if Origin: moz-extension://{extension-installation-id}', async function () { + // Context: Firefox 65 started setting this header // set vendor-specific Origin for WebExtension context browser.runtime.getURL.withArgs('/').returns('moz-extension://0f334731-19e3-42f8-85e2-03dbf50026df/') // ensure clean modifyRequest @@ -114,19 +115,22 @@ describe('modifyRequest processing', function () { modifyRequest = createRequestModifier(getState, dnslinkResolver, ipfsPathValidator, runtime) // test const bogusOriginHeader = { name: 'Origin', value: 'moz-extension://0f334731-19e3-42f8-85e2-03dbf50026df' } + const apiOriginHeader = { name: 'Origin', value: getState().apiURL.origin } const request = { requestHeaders: [bogusOriginHeader], type: 'xmlhttprequest', url: `${state.apiURLString}api/v0/id` } modifyRequest.onBeforeRequest(request) // executes before onBeforeSendHeaders, may mutate state - expect(modifyRequest.onBeforeSendHeaders(request).requestHeaders).to.not.include(bogusOriginHeader) + expect(modifyRequest.onBeforeSendHeaders(request).requestHeaders) + .to.deep.include(apiOriginHeader) browser.runtime.getURL.flush() }) }) - describe('a request to /api/v0/ with Origin=chrome-extension://{extension-installation-id}', function () { - it('should remove Origin header with chrome-extension://', async function () { + describe('should have it removed if Origin: chrome-extension://{extension-installation-id}', function () { + it('should have it swapped with API one if Origin: with chrome-extension://', async function () { + // Context: Chromium 72 started setting this header // set vendor-specific Origin for WebExtension context browser.runtime.getURL.withArgs('/').returns('chrome-extension://trolrorlrorlrol/') // ensure clean modifyRequest @@ -134,77 +138,38 @@ describe('modifyRequest processing', function () { modifyRequest = createRequestModifier(getState, dnslinkResolver, ipfsPathValidator, runtime) // test const bogusOriginHeader = { name: 'Origin', value: 'chrome-extension://trolrorlrorlrol' } + const apiOriginHeader = { name: 'Origin', value: getState().apiURL.origin } const request = { requestHeaders: [bogusOriginHeader], type: 'xmlhttprequest', url: `${state.apiURLString}api/v0/id` } modifyRequest.onBeforeRequest(request) // executes before onBeforeSendHeaders, may mutate state - expect(modifyRequest.onBeforeSendHeaders(request).requestHeaders).to.not.include(bogusOriginHeader) + expect(modifyRequest.onBeforeSendHeaders(request).requestHeaders) + .to.deep.include(apiOriginHeader) browser.runtime.getURL.flush() }) }) describe('a request to /api/v0/ with Origin=null', function () { - it('should remove Origin header ', async function () { - // set vendor-specific Origin for WebExtension context + it('should keep the "Origin: null" header ', async function () { + // Presence of Origin header is important as it protects API from XSS via sandboxed iframe + // NOTE: Chromium <72 was setting this header in requests sent by browser extension, + // but they fixed it since then. browser.runtime.getURL.withArgs('/').returns(undefined) // ensure clean modifyRequest runtime = Object.assign({}, await createRuntimeChecks(browser)) // make it mutable for tests modifyRequest = createRequestModifier(getState, dnslinkResolver, ipfsPathValidator, runtime) // test - const bogusOriginHeader = { name: 'Origin', value: 'null' } + const nullOriginHeader = { name: 'Origin', value: 'null' } const request = { - requestHeaders: [bogusOriginHeader], + requestHeaders: [nullOriginHeader], type: 'xmlhttprequest', url: `${state.apiURLString}api/v0/id` } modifyRequest.onBeforeRequest(request) // executes before onBeforeSendHeaders, may mutate state - expect(modifyRequest.onBeforeSendHeaders(request).requestHeaders).to.not.include(bogusOriginHeader) - browser.runtime.getURL.flush() - }) - }) - - // Web UI is loaded from hardcoded 'blessed' CID, which enables us to remove - // CORS limitation. This makes Web UI opened from browser action work without - // the need for any additional configuration of go-ipfs daemon - describe('a request to API from blessed webuiRootUrl', function () { - it('should pass without CORS limitations ', async function () { - // ensure clean modifyRequest - runtime = Object.assign({}, await createRuntimeChecks(browser)) // make it mutable for tests - modifyRequest = createRequestModifier(getState, dnslinkResolver, ipfsPathValidator, runtime) - // test - const webuiOriginHeader = { name: 'Origin', value: state.webuiRootUrl } - const webuiRefererHeader = { name: 'Referer', value: state.webuiRootUrl } - // CORS whitelisting does not worh in Chrome 72 without passing/restoring ACRH preflight header - const acrhHeader = { name: 'Access-Control-Request-Headers', value: 'X-Test' } // preflight to store - - // Test request - let request = { - requestHeaders: [webuiOriginHeader, webuiRefererHeader, acrhHeader], - type: 'xmlhttprequest', - originUrl: state.webuiRootUrl, - url: `${state.apiURLString}api/v0/id` - } - request = modifyRequest.onBeforeRequest(request) || request // executes before onBeforeSendHeaders, may mutate state - const requestHeaders = modifyRequest.onBeforeSendHeaders(request).requestHeaders - - // "originUrl" should be swapped to look like it came from the same origin as HTTP API - const expectedOriginUrl = state.webuiRootUrl.replace(state.gwURLString, state.apiURLString) - expect(requestHeaders).to.deep.include({ name: 'Origin', value: expectedOriginUrl }) - expect(requestHeaders).to.deep.include({ name: 'Referer', value: expectedOriginUrl }) - expect(requestHeaders).to.deep.include(acrhHeader) - - // Test response - const response = Object.assign({}, request) - delete response.requestHeaders - response.responseHeaders = [] - const responseHeaders = modifyRequest.onHeadersReceived(response).responseHeaders - const corsHeader = { name: 'Access-Control-Allow-Origin', value: state.gwURL.origin } - const acahHeader = { name: 'Access-Control-Allow-Headers', value: acrhHeader.value } // expect value restored from preflight - expect(responseHeaders).to.deep.include(corsHeader) - expect(responseHeaders).to.deep.include(acahHeader) - + expect(modifyRequest.onBeforeSendHeaders(request).requestHeaders) + .to.deep.include(nullOriginHeader) browser.runtime.getURL.flush() }) }) diff --git a/yarn.lock b/yarn.lock index 7d3a0b077..a93cdf516 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3269,6 +3269,17 @@ cids@^0.7.1, cids@~0.7.0, cids@~0.7.1: multicodec "~0.5.1" multihashes "~0.4.14" +cids@~0.8.0: + version "0.8.0" + resolved "https://registry.yarnpkg.com/cids/-/cids-0.8.0.tgz#41bf050bc7669cc8d648e21ca834b747bf6fa673" + integrity sha512-HdKURxtSOnww3H28CJU2TauIklEBsOn+ouGl2EOnSfVCVkH6+sWTj7to2D/BmuWvwzEy2+ZIKdcIwsXHJBQVew== + dependencies: + buffer "^5.5.0" + class-is "^1.1.0" + multibase "~0.7.0" + multicodec "^1.0.1" + multihashes "~0.4.17" + cipher-base@^1.0.0, cipher-base@^1.0.1, cipher-base@^1.0.3: version "1.0.4" resolved "https://registry.yarnpkg.com/cipher-base/-/cipher-base-1.0.4.tgz#8760e4ecc272f4c363532f926d874aae2c1397de" @@ -7931,16 +7942,18 @@ is-ip@^3.1.0: dependencies: ip-regex "^4.0.0" -"is-ipfs@https://github.com/ipfs/is-ipfs/tarball/d5717e910d864d738faf39480897342c7cbf065d/is-ipfs.tar.gz": - version "0.6.3" - resolved "https://github.com/ipfs/is-ipfs/tarball/d5717e910d864d738faf39480897342c7cbf065d/is-ipfs.tar.gz#c3f2f4d5423be1bfff4712488c742eb89d5f7ac0" +is-ipfs@1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/is-ipfs/-/is-ipfs-1.0.0.tgz#bb286d9a933eee0189932ca6d762e94ca85996ea" + integrity sha512-5C2sxUZqbXH5oMovtzvM6pog0sBRdScgqMUsqVb5wSj/AdAbY1QRjd7Hpm5IGeKlWpCUTmH5Kpd1JZx0jigB2A== dependencies: bs58 "^4.0.1" - cids "~0.7.0" - mafmt "^7.0.0" - multiaddr "^7.2.1" + cids "~0.8.0" + iso-url "~0.4.7" + mafmt "^7.1.0" + multiaddr "^7.4.3" multibase "~0.7.0" - multihashes "~0.4.13" + multihashes "~0.4.19" is-ipfs@~0.4.2: version "0.4.8" @@ -8198,6 +8211,11 @@ iso-url@^0.4.4, iso-url@~0.4.4, iso-url@~0.4.6: resolved "https://registry.yarnpkg.com/iso-url/-/iso-url-0.4.6.tgz#45005c4af4984cad4f8753da411b41b74cf0a8a6" integrity sha512-YQO7+aIe6l1aSJUKOx+Vrv08DlhZeLFIVfehG2L29KLSEb9RszqPXilxJRVpp57px36BddKR5ZsebacO5qG0tg== +iso-url@~0.4.7: + version "0.4.7" + resolved "https://registry.yarnpkg.com/iso-url/-/iso-url-0.4.7.tgz#de7e48120dae46921079fe78f325ac9e9217a385" + integrity sha512-27fFRDnPAMnHGLq36bWTpKET+eiXct3ENlCcdcMdk+mjXrb2kw3mhBUg1B7ewAC0kVzlOPhADzQgz1SE6Tglog== + isobject@^2.0.0: version "2.1.0" resolved "https://registry.yarnpkg.com/isobject/-/isobject-2.1.0.tgz#f065561096a3f1da2ef46272f815c840d87e0c89" @@ -9746,7 +9764,7 @@ mafmt@^6.0.10: dependencies: multiaddr "^6.1.0" -mafmt@^7.0.0: +mafmt@^7.1.0: version "7.1.0" resolved "https://registry.yarnpkg.com/mafmt/-/mafmt-7.1.0.tgz#4126f6d0eded070ace7dbbb6fb04977412d380b5" integrity sha512-vpeo9S+hepT3k2h5iFxzEHvvR0GPBx9uKaErmnRzYNcaKb03DgOArjEMlgG4a9LcuZZ89a3I8xbeto487n26eA== @@ -10364,7 +10382,7 @@ multiaddr-to-uri@^4.0.1: dependencies: multiaddr "^6.0.3" -multiaddr@6.1.0, multiaddr@^4.0.0, multiaddr@^5.0.0, multiaddr@^6.0.3, multiaddr@^6.0.4, multiaddr@^6.0.6, multiaddr@^6.1.0, multiaddr@^6.1.1, multiaddr@^7.2.1, multiaddr@^7.3.0: +multiaddr@6.1.0, multiaddr@^4.0.0, multiaddr@^5.0.0, multiaddr@^6.0.3, multiaddr@^6.0.4, multiaddr@^6.0.6, multiaddr@^6.1.0, multiaddr@^6.1.1, multiaddr@^7.3.0, multiaddr@^7.4.3: version "6.1.0" resolved "https://registry.yarnpkg.com/multiaddr/-/multiaddr-6.1.0.tgz#1f93afce58a33db5cc32a5917d8a14105d94330e" integrity sha512-+XTP3OzG2m6JVcjxA9QBmGDr0Vk8WwnohC/fCC3puXb5qJqfJwLVJLEtdTc6vK7ri/hw+Nn4wyT4LkZaPnvGfQ== @@ -10389,14 +10407,7 @@ multiaddr@7.2.1: is-ip "^3.1.0" varint "^5.0.0" -multibase@~0.6.0: - version "0.6.0" - resolved "https://registry.yarnpkg.com/multibase/-/multibase-0.6.0.tgz#0216e350614c7456da5e8e5b20d3fcd4c9104f56" - integrity sha512-R9bNLQhbD7MsitPm1NeY7w9sDgu6d7cuj25snAWH7k5PSNPSwIQQBpcpj8jx1W96dLbdigZqmUWOdQRMnAmgjA== - dependencies: - base-x "3.0.4" - -multibase@~0.7.0: +multibase@^0.7.0, multibase@~0.7.0: version "0.7.0" resolved "https://registry.yarnpkg.com/multibase/-/multibase-0.7.0.tgz#1adfc1c50abe05eefeb5091ac0c2728d6b84581b" integrity sha512-TW8q03O0f6PNFTQDvh3xxH03c8CjGaaYrjkl9UQPG6rz53TQzzxJVCIWVjzcbN/Q5Y53Zd0IBQBMVktVgNx4Fg== @@ -10404,6 +10415,13 @@ multibase@~0.7.0: base-x "^3.0.8" buffer "^5.5.0" +multibase@~0.6.0: + version "0.6.0" + resolved "https://registry.yarnpkg.com/multibase/-/multibase-0.6.0.tgz#0216e350614c7456da5e8e5b20d3fcd4c9104f56" + integrity sha512-R9bNLQhbD7MsitPm1NeY7w9sDgu6d7cuj25snAWH7k5PSNPSwIQQBpcpj8jx1W96dLbdigZqmUWOdQRMnAmgjA== + dependencies: + base-x "3.0.4" + multicast-dns@^7.2.0: version "7.2.0" resolved "https://registry.yarnpkg.com/multicast-dns/-/multicast-dns-7.2.0.tgz#7aa49a7efba931a346011aa02e7d1c314a65ac77" @@ -10412,6 +10430,14 @@ multicast-dns@^7.2.0: dns-packet "^4.0.0" thunky "^1.0.2" +multicodec@^1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/multicodec/-/multicodec-1.0.1.tgz#4e2812d726b9f7c7d615d3ebc5787d36a08680f9" + integrity sha512-yrrU/K8zHyAH2B0slNVeq3AiwluflHpgQ3TAzwNJcuO2AoPyXgBT2EDkdbP1D8B/yFOY+S2hDYmFlI1vhVFkQw== + dependencies: + buffer "^5.5.0" + varint "^5.0.0" + multicodec@~0.5.0, multicodec@~0.5.1, multicodec@~0.5.3: version "0.5.3" resolved "https://registry.yarnpkg.com/multicodec/-/multicodec-0.5.3.tgz#b1ef71a55d0698c9b2d89585f66e4b081f33c20c" @@ -10434,6 +10460,15 @@ multihashes@~0.4.12, multihashes@~0.4.13, multihashes@~0.4.14, multihashes@~0.4. bs58 "^4.0.1" varint "^5.0.0" +multihashes@~0.4.17, multihashes@~0.4.19: + version "0.4.19" + resolved "https://registry.yarnpkg.com/multihashes/-/multihashes-0.4.19.tgz#d7493cf028e48747122f350908ea13d12d204813" + integrity sha512-ej74GAfA20imjj00RO5h34aY3pGUFyzn9FJZFWwdeUHlHTkKmv90FrNpvYT4jYf1XXCy5O/5EjVnxTaESgOM6A== + dependencies: + buffer "^5.5.0" + multibase "^0.7.0" + varint "^5.0.0" + multihashing-async@^0.8.0, multihashing-async@~0.8.0: version "0.8.0" resolved "https://registry.yarnpkg.com/multihashing-async/-/multihashing-async-0.8.0.tgz#a99049160be9bde6681fe93ef15e0e2496341d7d" @@ -14965,7 +15000,7 @@ uri-js@^4.2.2: dependencies: punycode "^2.1.0" -uri-to-multiaddr@3.0.1, uri-to-multiaddr@^3.0.1: +uri-to-multiaddr@^3.0.1: version "3.0.1" resolved "https://registry.yarnpkg.com/uri-to-multiaddr/-/uri-to-multiaddr-3.0.1.tgz#460bd5d78074002c47b60fdc456efd009e7168ae" integrity sha512-77slJiNB/IxM35zgflBEgp8T8ywpyYAbEh8Ezdnq7kAuA6TRg6wfvNTi4Uixfh6CsPv9K2fAkI5+E4C2dw3tXA==