commit 650f5d10115670a2b7fbe355dd11ea125256537b Author: David Fifield david@bamsoftware.com Date: Fri Feb 15 13:55:53 2019 -0700
Strip unneeded headers by default.
These are: Accept Accept-Language Cookie Origin User-Agent
Cf. https://bugs.torproject.org/12778
In the old extension we stripped *all* headers, except for Content-Length and Content-Type, which got set by nsIUploadChannel.setUploadStream; and Connection, which somehow automatically got the value "keep-alive". https://gitweb.torproject.org/pluggable-transports/meek.git/commit/?id=0e6ce...
In the new WebExtension, stripping all headers really strips them all, including Content-Length, without which web servers may refuse to deal with us. So instead, just delete an enumerated list of headers that seem unnecessary; or, like Cookie or Origin, may enable cross-session tracking.
Before this change (url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com): Accept: */* Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Cache-Control: no-cache Connection: keep-alive Content-Length: 0 Host: meek.azureedge.net Origin: moz-extension://3b29e17d-f486-48b9-8a03-782237114ad3 Pragma: no-cache TE: Trailers User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 X-Session-Id: QE9IrvZFtFc
After this change: Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Connection: keep-alive Content-Length: 0 Host: meek.azureedge.net Pragma: no-cache TE: Trailers X-Session-Id: CKOaxq4SVqM --- webextension/background.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/webextension/background.js b/webextension/background.js index 1ffb828..664e758 100644 --- a/webextension/background.js +++ b/webextension/background.js @@ -135,7 +135,6 @@ async function roundtrip(request) { // Don't follow redirects (we'll get resp.status:0 if there is one). init.redirect = "manual";
- // TODO: strip Origin header? // TODO: proxy } catch (error) { return {error: `request spec failed valiation: ${error.message}`}; @@ -165,6 +164,10 @@ async function roundtrip(request) { .map(x => ({name: x[0], value: x[1]})); // Remove all browser headers that conflict with requested headers. let overrides = Object.fromEntries(headers.map(x => [x.name.toLowerCase(), true])); + // Also remove some unnecessary or potentially tracking-enabling headers. + for (let name of ["Accept", "Accept-Language", "Cookie", "Origin", "User-Agent"]) { + overrides[name.toLowerCase()] = true; + } let browserHeaders = details.requestHeaders.filter(x => !(x.name.toLowerCase() in overrides)); return {requestHeaders: browserHeaders.concat(headers)}; } finally {