From 783f1fc99ad2e32d692be0a5626f1184e84fdc20 Mon Sep 17 00:00:00 2001 From: Brian Helba Date: Thu, 2 Jun 2022 21:24:53 -0400 Subject: [PATCH] Block ETag tracking on outgoing request, instead of incoming response This change more directly addresses the privacy concern where servers can identify whether a given client has previously downloaded some content. This tracking occurs when a request for an already-cached resource is sent to the server with an `If-None-Match` header. If the cached resource was previously received with a unique `ETag`, the server can uniquely identify the user. Rather than blocking the client from reading `ETag` values (which may be safely be used for other purposes; see #177), this change prevents servers from being informed about whether the client has any cached content. Fixes #177. --- core_js/eTagFilter.js | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/core_js/eTagFilter.js b/core_js/eTagFilter.js index 254562d..a96c3fd 100644 --- a/core_js/eTagFilter.js +++ b/core_js/eTagFilter.js @@ -19,28 +19,29 @@ /*jshint esversion: 6 */ /** - * Filters eTag headers from web requests. + * Filters headers containing eTag values from web requests. */ function eTagFilter(requestDetails) { - if(!requestDetails.responseHeaders || !storage.eTagFiltering + if(!requestDetails.requestHeaders || !storage.eTagFiltering || storage.localHostsSkipping && checkLocalURL(new URL(requestDetails.url))) return {}; - const responseHeaders = requestDetails.responseHeaders; + const requestHeaders = requestDetails.requestHeaders; - const filteredHeaders = responseHeaders.filter(header => { - return header.name.toLowerCase() !== "etag"; + const filteredHeaders = requestHeaders.filter(header => { + // Browsers may automatically send an If-None-Match header with + return header.name.toLowerCase() !== "if-none-match"; }); - if(filteredHeaders.length < responseHeaders.length) { + if(filteredHeaders.length < requestHeaders.length) { pushToLog(requestDetails.url, requestDetails.url, translate("eTag_filtering_log")); increaseBadged(false, requestDetails); increaseGlobalURLCounter(1); - return {responseHeaders: filteredHeaders}; + return {requestHeaders: filteredHeaders}; } } -browser.webRequest.onHeadersReceived.addListener( +browser.webRequest.onBeforeSendHeaders.addListener( eTagFilter, {urls: [""]}, - ["blocking", "responseHeaders"] + ["blocking", "requestHeaders"] );