Expand tracker blocking test to include redirected tracker and reques…

…t from two frames deep. (#105)
duckduckgo · Nov 10, 2022 · 7de1e1f · 7de1e1f
1 parent 6f5e31a
commit 7de1e1f
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 1 deletion.
diff --git a/privacy-protections/request-blocking/frame.html b/privacy-protections/request-blocking/frame.html
@@ -18,7 +18,7 @@
                     })
                     .catch(e => {
                         window.parent.postMessage('frame fetch failed', '*');
-                    })
+                    });
             }
         };
 

diff --git a/privacy-protections/request-blocking/main.js b/privacy-protections/request-blocking/main.js
@@ -381,6 +381,33 @@ const tests = [
             }
         }
     },
+    {
+        category: 'other',
+        id: 'iframe-fetch-depth-2',
+        description: 'Try requesting data from two frames deep (iframe within an iframe).',
+        html: `<iframe src='./middleframe.html?${random}' style='width:100px' id='html-iframe-depth-2-fetch-test'></iframe>`,
+        checkAsync: (callback) => {
+            const item = document.querySelector('#html-iframe-depth-2-fetch-test');
+
+            if (item) {
+                item.addEventListener('load', () => {
+                    item.contentWindow.postMessage({ action: 'fetch', url: `${TRACKER_RESOURCES_URL}/fetch.json?iframe-depth-2-${Math.random()}` });
+                });
+
+                const onMessage = msg => {
+                    if (msg.data.includes('frame fetch loaded')) {
+                        callback('loaded');
+                        window.removeEventListener('message', onMessage);
+                    } else if (msg.data.includes('frame fetch failed')) {
+                        callback('failed');
+                        window.removeEventListener('message', onMessage);
+                    }
+                };
+
+                window.addEventListener('message', onMessage);
+            }
+        }
+    },
     {
         category: 'other',
         id: 'webworker-fetch',
@@ -465,6 +492,26 @@ const tests = [
 
             observer.observe({ entryTypes: ['resource', 'navigation'] });
         }
+    },
+    {
+        category: 'other',
+        id: 'redirected-fetch',
+        description: 'Try requesting tracker via redirect through a safe domain.',
+        checkAsync: (callback) => {
+            const url = new URL('/redirect', location.href);
+            url.searchParams.append('destination', `${TRACKER_RESOURCES_URL}/fetch.json?redirected-${random}`);
+
+            fetch(url)
+                .then(r => r.json())
+                .then(data => {
+                    if (data.data.includes('fetch loaded')) {
+                        callback('loaded');
+                    }
+                })
+                .catch(e => {
+                    callback('failed');
+                });
+        }
     }
 ];
 

diff --git a/privacy-protections/request-blocking/middleframe.html b/privacy-protections/request-blocking/middleframe.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Middleframe Test</title>
+</head>
+<body>
+    <script>
+        const iframe = document.createElement('iframe');
+        iframe.src = `./frame.html?${Math.random()}`;
+
+        const onMessage = msg => {
+            if (msg.data.action && msg.data.action === 'fetch') {
+                iframe.addEventListener('load', () => {
+                    // pass message from upper frame to lower frame
+                    iframe.contentWindow.postMessage({ action: 'fetch', url: msg.data.url });
+                });
+                document.body.appendChild(iframe);
+            } else if (msg.data && (msg.data.includes('frame fetch loaded') || msg.data.includes('frame fetch failed'))) {
+                // pass message from lower frame to upper frame
+                window.parent.postMessage(msg.data, '*');
+                window.removeEventListener('message', onMessage);
+            }
+        };
+
+        window.addEventListener('message', onMessage);
+    </script>
+</body>
+</html>
diff --git a/server.js b/server.js
@@ -231,6 +231,22 @@ app.get('/come-back', (req, res) => {
 </html>`);
 });
 
+const REDIRECT_ALLOWLIST = ['bad.third-party.site'];
+
+app.get('/redirect', (req, res) => {
+    const destination = req.query.destination;
+
+    if (!REDIRECT_ALLOWLIST.find(allowHost => destination.startsWith('https://' + allowHost + '/'))) {
+        res.statusCode = 403;
+        res.end();
+        return;
+    }
+
+    res.set('Location', destination);
+    res.statusCode = 307;
+    res.end();
+});
+
 const blockingRoutes = require('./privacy-protections/request-blocking/server/routes');
 app.use('/block-me', blockingRoutes);
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,7 +18,7 @@ @@
                         })
                         .catch(e => {
                             window.parent.postMessage('frame fetch failed', '*');
-                        })
+                        });
                 }
             };
@@ Expand Down @@