Handle sites that pull globals from an iframe

Also improve fixUrl and make it's test run with the rest of the tests

Author: nfriedly

examples/express/server.js

@@ -14,7 +14,7 @@ app.get("/", (req, res) =>
 );
 
 // start the server and allow unblocker to proxy websockets:
-app.listen(8080).on("upgrade", unblocker.onUpgrade);
+app.listen(process.env.PORT || 8080).on("upgrade", unblocker.onUpgrade);
 // or
 // const http = require("http");
 // const server = http.createServer(app);

lib/client-scripts.js

@@ -21,10 +21,6 @@ module.exports = function ({ prefix }) {
     maxAge: "10m",
   };
 
-  const INJECTION_SNIPET = `
-<script>var unblocker=${JSON.stringify({ prefix })}</script>
-<script src="${clientScriptPathWeb}"></script>`;
-
   function server(req, res, next) {
     if (req.url === clientScriptPathWeb) {
       send(req, clientScriptPathFs, sendOpts).pipe(res);
@@ -33,30 +29,33 @@ module.exports = function ({ prefix }) {
     next();
   }
 
-  function createStream() {
-    return new Transform({
-      decodeStrings: false,
-      transform: function (chunk, encoding, next) {
-        // todo: only inject once (maybe make an "injects into head" helper)
-        var updated = chunk
-          .toString()
-          .replace(/(<head[^>]*>)/i, "$1" + INJECTION_SNIPET + "\n");
-        this.push(updated, "utf8");
-        next();
-      },
-    });
-  }
-
   function injector(data) {
     if (contentTypes.html.includes(data.contentType)) {
-      data.stream = data.stream.pipe(createStream());
+      data.stream = data.stream.pipe(
+        new Transform({
+          decodeStrings: false,
+          transform: function (chunk, encoding, next) {
+            // todo: only inject once (maybe make an "injects into head" helper)
+            var updated = chunk.toString().replace(
+              /(<head[^>]*>)/i,
+              `$1
+<script src="${clientScriptPathWeb}"></script>
+<script>unblockerInit(${JSON.stringify({
+                prefix,
+                url: data.url,
+              })}, window);</script>
+`
+            );
+            this.push(updated, "utf8");
+            next();
+          },
+        })
+      );
     }
   }
 
-  injector.createStream = createStream;
   return {
     server,
     injector,
-    createStream, // for testing
   };
 };

lib/client/unblocker-client.js

@@ -1,32 +1,50 @@
-(function (exports) {
+(function (global) {
   "use strict";
-  /*global unblocker*/
 
   // todo:
-  // - fetch
-  // - history API
   // - postMessage
   // - open
   // - split each part into separate files (?)
   // - wrap other JS and provide proxies to fix writes to window.location and document.cookie
   //   - will require updating contentTypes.html.includes(data.contentType) to include js
   //   - that, in turn will require decompressing js....
+  // call() and apply() on `this || original_thing`
+  // prevent a failure in one initializer from stopping subsequent initializers
+
+  function fixUrl(urlStr, config, location) {
+    var currentRemoteHref;
+    if (location.pathname.substr(0, config.prefix.length) === config.prefix) {
+      currentRemoteHref =
+        location.pathname.substr(config.prefix.length) +
+        location.search +
+        location.hash;
+    } else {
+      // in case sites (such as youtube) manage to bypass our history wrapper
+      currentRemoteHref = config.url;
+    }
 
-  console.log("begin unblocker client scripts", unblocker);
+    // check if it's already proxied (root-relative)
+    if (urlStr.substr(0, config.prefix.length) === config.prefix) {
+      return urlStr;
+    }
 
-  function fixUrl(target, prefix, location) {
-    var currentRemoteHref =
-      location.pathname.substr(prefix.length) + location.search + location.hash;
-    var url = new URL(target, currentRemoteHref);
+    var url = new URL(urlStr, currentRemoteHref);
 
-    //todo: handle already proxied urls (will be important for checking current dom)
+    // check if it's already proxied (absolute)
+    if (
+      url.origin === location.origin &&
+      url.pathname.substr(0, config.prefix.length) === config.prefix
+    ) {
+      return urlStr;
+    }
 
-    // don't break data: urls
-    if (url.protocol === "data:") {
-      return target;
+    // don't break data: urls, about:blank, etc
+    // todo: do modify ws: and wss: protocols
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      return urlStr;
     }
 
-    // sometimes websites are tricky
+    // sometimes websites are tricky and use the current host or hostname + a relative url
     // check hostname (ignoring port)
     if (url.hostname === location.hostname) {
       var currentRemoteUrl = new URL(currentRemoteHref);
@@ -36,47 +54,101 @@
       url.protocol = currentRemoteUrl.protocol;
       // todo: handle websocket protocols
     }
-    return prefix + url.href;
+    return config.prefix + url.href;
   }
 
-  function initXMLHttpRequest(config) {
-    var _XMLHttpRequest = XMLHttpRequest;
+  function initXMLHttpRequest(config, window) {
+    if (!window.XMLHttpRequest) return;
+    var _XMLHttpRequest = window.XMLHttpRequest;
 
     window.XMLHttpRequest = function (opts) {
       var xhr = new _XMLHttpRequest(opts);
       var _open = xhr.open;
       xhr.open = function () {
         var args = Array.prototype.slice.call(arguments);
-        args[1] = fixUrl(args[1], config.prefix, location);
+        args[1] = fixUrl(args[1], config, location);
         return _open.apply(xhr, args);
       };
       return xhr;
     };
   }
 
-  function initCreateElement(config) {
-    var prefix = config.prefix;
-    var _createElement = document.createElement;
-
-    document.createElement = function (tagName, options) {
-      var element = _createElement.call(document, tagName, options);
-      // todo: whitelist elements with href or src attributes and only check those
-      setTimeout(function () {
-        if (element.src) {
-          element.src = fixUrl(element.src, prefix, location);
-        }
-        if (element.href) {
-          element.href = fixUrl(element.href, prefix, location);
-        }
-        // todo: support srcset and ..?
-      }, 0);
-      // todo: handle urls that aren't set immediately
+  function initFetch(config, window) {
+    if (!window.fetch) return;
+    var _fetch = window.fetch;
+
+    window.fetch = function (resource, init) {
+      if (resource.url) {
+        resource.url = fixUrl(resource.url, config, location);
+      } else {
+        resource = fixUrl(resource.toString(), config, location);
+      }
+      return _fetch(resource, init);
+    };
+  }
+
+  function initCreateElement(config, window) {
+    if (!window.document || !window.document.createElement) return;
+    var _createElement = window.document.createElement;
+
+    window.document.createElement = function (tagName, options) {
+      if (tagName.toLowerCase() === "iframe") {
+        initAppendBodyIframe(config, window);
+      }
+      var element = _createElement.call(window.document, tagName, options);
+      Object.defineProperty(element, "src", {
+        set: function (src) {
+          delete element.src; // remove this setter so we don't get stuck in an infinite loop
+          element.src = fixUrl(src, config, location);
+        },
+        configurable: true,
+      });
+      Object.defineProperty(element, "href", {
+        set: function (href) {
+          delete element.href; // remove this setter so we don't get stuck in an infinite loop
+          element.href = fixUrl(href, config, location);
+        },
+        configurable: true,
+      });
+      // todo: consider restoring the setter in case the client js changes the value later...
+      // todo: support srcset
       return element;
     };
   }
 
-  function initWebsockets(config) {
-    var _WebSocket = WebSocket;
+  // js on some sites, such as youtube, uses an iframe to grab native APIs such as history, so we need to fix those also.
+  // document.body isn't available when this script is first executed,
+  // so we'll also try when createElement is called, but set a flag to ensure it only installs once
+  function initAppendBodyIframe(config, window) {
+    if (
+      !window.document ||
+      !window.document.body ||
+      !window.document.body.appendChild ||
+      window.document.body.unblockerIframeAppendListenerInstalled
+    ) {
+      return;
+    }
+
+    var _appendChild = window.document.body.appendChild;
+
+    window.document.body.appendChild = function (element) {
+      var ret = _appendChild.call(window.document.body, element);
+      if (
+        element.tagName &&
+        element.tagName.toLowerCase() === "iframe" &&
+        element.src === "about:blank" &&
+        element.contentWindow
+      ) {
+        initForWindow(config, element.contentWindow);
+      }
+      return ret;
+    };
+    window.document.body.unblockerIframeAppendListenerInstalled = true;
+  }
+
+  function initWebSockets(config, window) {
+    if (!window.WebSocket) return;
+    var _WebSocket = window.WebSocket;
     var prefix = config.prefix;
     var proxyHost = location.host;
     var isSecure = location.protocol === "https";
@@ -118,13 +190,56 @@
     };
   }
 
-  initXMLHttpRequest(unblocker);
-  initCreateElement(unblocker);
-  initWebsockets(unblocker);
+  // todo: figure out how youtube bypasses this
+  // notes: look at bindHistoryStateFunctions_ - it looks like it checks the contentWindow.history of an iframe *fitst*, then it's __proto__, then the global history api
+  //        - so, we need to inject this into iframes also
+  function initPushState(config, window) {
+    if (!window.history || !window.history.pushState) return;
+
+    var _pushState = window.history.pushState;
+    window.history.pushState = function (state, title, url) {
+      if (url) {
+        url = fixUrl(url, config, location);
+        config.url = new URL(url, config.url);
+        return _pushState.call(history, state, title, url);
+      }
+    };
+
+    if (!window.history.replaceState) return;
+    var _replaceState = window.history.replaceState;
+    window.history.replaceState = function (state, title, url) {
+      if (url) {
+        url = fixUrl(url, config, location);
+        config.url = new URL(url, config.url);
+        return _replaceState.call(history, state, title, url);
+      }
+    };
+  }
 
-  console.log("unblocker client scripts initialized");
+  function initForWindow(config, window) {
+    console.log("begin unblocker client scripts", config, window);
+    initXMLHttpRequest(config, window);
+    initFetch(config, window);
+    initCreateElement(config, window);
+    initAppendBodyIframe(config, window);
+    initWebSockets(config, window);
+    initPushState(config, window);
+    if (window === global) {
+      // leave no trace
+      delete global.unblockerInit;
+    }
+    console.log("unblocker client scripts initialized");
+  }
 
-  // export things for testing if loaded via commonjs
-  exports.fixUrl = fixUrl;
+  // either export things for testing or put the init method into the global scope to be called
+  // with config by the next script tag in a browser
   /*globals module*/
-})((typeof module === "object" && module.exports) || {});
+  if (typeof module === "undefined") {
+    global.unblockerInit = initForWindow;
+  } else {
+    module.exports = {
+      initForWindow: initForWindow,
+      fixUrl: fixUrl,
+    };
+  }
+})(this); // window in a browser, global in node.js

test/client/fix-url-spec.js test/unblocker-client-spec.jstest/client/fix-url-spec.js renamed to test/unblocker-client-spec.js

@@ -1,11 +1,13 @@
 "use strict";
 const { test } = require("tap");
-const { fixUrl } = require("../../lib/client/unblocker-client.js");
-const proxy = "http://localhost";
 const prefix = "/proxy/";
+const proxy = "http://localhost";
 const target = "http://example.com/page.html?query#hash";
 const location = new URL(proxy + prefix + target);
 
+const config = (global.unblocker = { prefix, url: target });
+const { fixUrl } = require("../lib/client/unblocker-client.js");
+
 // 1x1 transparent gif
 const pixel =
   " data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==";
@@ -36,16 +38,28 @@ const testCases = [
   { url: "http://localhost/path", expected: "/proxy/http://example.com/path" },
   // don't break data: urls
   { url: pixel, expected: pixel },
+  // don't break protocol-relative urls
+  { url: "//example.com/foo", expected: "/proxy/http://example.com/foo" },
+  // don't break about:blank urls
+  { url: "about:blank", expected: "about:blank" },
+  // don't break already proxied URLs
+  {
+    url: proxy + prefix + "http://example.com/foo",
+    expected: proxy + prefix + "http://example.com/foo",
+  },
+  {
+    url: prefix + "http://example.com/foo",
+    expected: prefix + "http://example.com/foo",
+  },
   // todo: port numbers
   // todo: more https tests
   // todo: websockets(?)
-  // todo: already proxied input url
 ];
 
 testCases.forEach((tc) => {
   test(JSON.stringify(tc), (t) => {
     // todo: replace || with ??
-    const actual = fixUrl(tc.url, tc.prefix || prefix, tc.location || location);
+    const actual = fixUrl(tc.url, tc.config || config, tc.location || location);
     t.equal(actual, tc.expected);
     t.end();
   });