diff --git a/src/js/main.js b/src/js/main.js index 71a3383..1e39989 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -1,50 +1,52 @@ -const cachedSecurityInfosByTabIdAndURL=new Object();//global cache -browser.browserAction.disable();//This intentionally omits windowId +//Global cache of securityInfo objects: +const cachedSecurityInfosByTabIdAndURL=new Object(); function identifySecType(securityInfo){ + //Takes in a browser.webRequest.getSecurityInfo object + //and returns an integer from secTypes corresponding to the try { - switch(securityInfo.state){ - case 'insecure': + switch(securityInfo.state) { + case 'insecure': - //genuinely not HTTPS - return secTypes.insecure; + //genuinely not HTTPS + return secTypes.insecure; - case 'secure': - let certChain=securityInfo.certificates; + case 'secure': + let certChain=securityInfo.certificates; - if(certChain.length==0){ - //TODO/FIXME: Mozilla doesn't provide - //any access whatsoever to self-signed - //or otherwise nominally-invalid certs - // https://discourse.mozilla.org/t/webrequest-getsecurityinfo-cant-get-self-signed-tofu-exception-certificates/67135 - return secTypes.unknown; - } + if(certChain.length==0) { + //TODO/FIXME: Mozilla doesn't provide + //any access whatsoever to self-signed + //or otherwise nominally-invalid certs + // https://discourse.mozilla.org/t/webrequest-getsecurityinfo-cant-get-self-signed-tofu-exception-certificates/67135 + return secTypes.unknown; + } - let rootCert=certChain[certChain.length-1]; + let rootCert=certChain[certChain.length-1]; - //Now, this connection is... - if(rootCert.isBuiltInRoot){ - //...Mozilla-supported - return secTypes.Mozilla; - } + //Now, this connection is... + if(rootCert.isBuiltInRoot){ + //...Mozilla-supported + return secTypes.Mozilla; + } - if(!securityInfo.isUntrusted){//why didn't they use .isTrusted lol - //...supported by a Non-Mozilla cert,... - if(isItMitM(rootCert)){ //TODO - //...a TLS MITM proxy - return secTypes.MitM; - } else { - //...an alternative Root CA - if(certChain[certChain.length-1].fingerprint.sha256 in sha256fp_host_alt) { - return secTypes.aRootKnown; + if(!securityInfo.isUntrusted){//why didn't they use .isTrusted lol + //...supported by a Non-Mozilla cert,... + if(isItMitM(rootCert)){ //TODO + //...a TLS MITM proxy + return secTypes.MitM; } else { - return secTypes.aRootUnknown; + //...an alternative Root CA + if(certChain[certChain.length-1].fingerprint.sha256 in sha256fp_host_alt) { + return secTypes.aRootKnown; + } else { + return secTypes.aRootUnknown; + } } } + default: + throw {status:'thisShouldNeverHappen',securityInfo:securityInfo}; } - default: - throw {status:'thisShouldNeverHappen',securityInfo:securityInfo}; - } } catch(e) { switch(e.status){ default: @@ -76,7 +78,7 @@ browser.tabs.onUpdated.addListener( ); browser.tabs.onRemoved.addListener( - async function onTabRemovedListener(tabId,removeInfo) { + async function onTabRemovedListener(tabId,removeInfo){ delete cachedSecurityInfosByTabIdAndURL[tabId]; } ); @@ -87,7 +89,7 @@ browser.webRequest.onHeadersReceived.addListener( //to intercept at least one outbound request (no matter //how well we code) before detection. //TODO: pester Mozilla about this - async function onHeadersReceivedListener(details) { + async function onHeadersReceivedListener(details){ let tabId=details.tabId; let type=details.type; let requestId=details.requestId; diff --git a/src/js/util.js b/src/js/util.js index b17d324..61cbee3 100644 --- a/src/js/util.js +++ b/src/js/util.js @@ -22,7 +22,7 @@ function intDiv(a,b=100){ function genBrowserActionSpec(secType,certChain){ let rootHost,iconPath; - switch(secType){ + switch(secType) { case secTypes.Mozilla: rootHost=sha256fp_host[certChain[certChain.length-1].fingerprint.sha256]; return { @@ -78,7 +78,7 @@ function genBrowserActionSpec(secType,certChain){ function isItMitM(cert){ //TODO check with the user about this - if(cert.fingerprint.sha256 in sha256fp_host || cert.fingerprint.sha256 in sha256fp_host_alt){ + if( cert.fingerprint.sha256 in sha256fp_host || cert.fingerprint.sha256 in sha256fp_host_alt ) { //The cert was in EITHER database //therefore it is legitimate, //i.e. NOT a MitM: @@ -92,8 +92,8 @@ function isItMitM(cert){ function applyBrowserActionSpec(propCmdDefaults={},browserActionSpec,extraCmds={}){ //TODO: why does[?] Firefox not give us an atomic version of this function?? - for(let prop in browserActionSpec){ - let cmd=Object.assign(new Object(), + for(let prop in browserActionSpec) { + let cmd = Object.assign(new Object(), propCmdDefaults, browserActionSpec[prop]); browser.browserAction['set'+prop](cmd); @@ -107,18 +107,21 @@ browser.runtime.onInstalled.addListener( function onInstalledListener(details){ // Only pester the user if this is a fresh installation [1], // or at least a minor version bump [2]. - let openPathInTab=path=>browser.tabs.create({url:browser.runtime.getURL(path)}); - let curVersion=browser.runtime.getManifest().version; - if( details.reason=="install" ){ + let openPathInTab = path=>browser.tabs.create({url:browser.runtime.getURL(path)}); + let curVersion = browser.runtime.getManifest().version; + if( details.reason == "install" ) { //[1] openPathInTab('db/welcome/install.htm'); } else { - let curMinorVersion=curVersion.split('.').splice(0,2).join('.'); - let prevMinorVersion=details.previousVersion.split('.').splice(0,2).join('.'); - if( curMinorVersion!=prevMinorVersion ){ + let curMinorVersion = curVersion.split('.').splice(0,2).join('.'); + let prevMinorVersion = details.previousVersion.split('.').splice(0,2).join('.'); + if( curMinorVersion != prevMinorVersion ) { //[2] //openPathInTab('db/welcome/update.htm');//TODO } } } ); + +browser.browserAction.disable();//This should be greyed-out by default +