Firefox extension dev: howto fix wrong "Referer" in XMLHttpRequest - firefox

I am trying to program a simple Firefox (66.0 Quantum) Extension intended to download complete HLS video streams. The basic approach is to start video-playback using the page's regular UI functionality and to intercept the loading of respective HLS .m3u8-playlist files from within the extension's background-script (i.e. using "browser.webRequest.onBeforeRequest"). The extension similarily also intercepts the first "video-chunk" request triggered by the playlist (using "browser.webRequest.onSendHeaders") - so it knowns what the correct http-headers for respective "video-chunk" requests would need to look like.
permission-wise I am currently using these:
"permissions": [
"downloads", "activeTab", "webRequest", "webRequestBlocking", "<all_urls>"
],
Based on the above collected information, ideally the extension should be able to create correct XMLHttpRequest requests for all the "movie-chucks" found in the playlist and to ultimately download all those files. Obviously a respective long running "download" task should be performed in the background-script and once the above information has been collected there should be no need to still keep the original browser tab open.
Problem: Some of the servers that serve the movie-chunks apparently rely on the "Referer" (and maybe "Origin") header for some kind of access-control and the XMLHttpRequest instances created from within the background-script DO NOT allow to create the respective correct header (since it is a restricted field it cannot be manually set to the correct value).
The only workaround that I found so far leaves a lot to be desired: A content.XMLHttpRequest created within a content-script uses the correct headers and my background-script can delegate (via messaging) the respective file loading to the content-script (which is rather silly and means that the background-script process will fail if the original browser tab is closed during download).
Is there any way that allows to properly do/complete all the download logic on the background-script side (even after the originating browser tab has been closed)?

Related

Programmatically pass additional header info along with URL to open a browser

I have an application which at one point wants to launch a particular URL in the default browser. This is pretty simple and can be achieved using ShellExecute on Windows. However the catch is that the server expects some additional custom header information (for authentication/identification purposes) to be sent along with the GET request.
Is there any way by which this (additional header) information could be passed to the browser while launching it?
Note:- I want to launch the default browser and not use a Web browser control
As I understand you have only one option: add intermidiate page (in internet or on localhost).
You have to create yoursite.com/sendHeaders.php or localhost/sendHeaders.php (or any another extension; choose language what do you prefer), which does following:
Unpack parameters (URL and headers),
Connect to the URL, send the headers,
Print the answer in browser.
So you will open in your browser intermediate page yoursite.com/sendHeaders.php?url=realUrl&headers=packedHeaders, but browser will show you a page realUrl, which received proper headers.

How to detect the last Docpad render pass?

Im currently writing a small Docpad plugin to output a documents contentRenderedWithoutLayouts into a separate .json file next to the .html version for loading it via an ajax request later.
The plugin works by overriding Baseplugin's render: (opts) -> method and doing a few checks whether we're rendering a document and to html.
I now noticed that this method gets called multiple times for some documents, which seems to be render pass related. So how can I detect the final render pass per document to avoid writing the .json multiple times per render?
Many Thanks
--
Edit:
found the answer after another look at Docpads events list: http://docpad.org/docs/events
The writeAfter event is the right place to get the final data and have the output directory tree set up so I can put my .json files next to the .html.
In case you're interested find the plugin here: https://github.com/field/docpad-plugin-jsonfragment
Another approach to this would be to use the serverExtend event, and write a router that detects if it is an ajax request (existance of the IS_XHR header) and then sends the necessary json data from that. This would require your hosting platform to support node.js as you'll be using the docpad server.

Implementing my own protocol and using it through my browser

I want to create a new protocol so that I can view the data retrieved through the protocol in the browser.
For example, I want to be able to go to myprotocol://www.filepath.com/img.jpg and view the image.
Where myprotocol is defined by myself.
I have read about registering application handling here:
http://msdn.microsoft.com/en-us/library/aa767914%28v=vs.85%29.aspx
with this it is possible to run a desktop exe that receives the url I am trying to access. How would I return the retrieved jpg to the browser for viewing, so that it behaves like a normal protocol, such as http?
Thanks
That registration will allow you to bind an application to the uri, so if launched through windows explorer (including "Run") and from command line, then the app is launched and the uri passed to it as an argument (much like if you double-click a file, the default app for it is launched and the path to the file passed).
For example, your "default" browser will have http:// associated with it in this way.
It is still up to the application itself to have its own handling of the URI when it is passed as an argument. If you want to make a browser handle your new protocol, you will have to write an extension/plugin/add-on/whatever-that-browser's-makers-call-it to add further functionality to the browser. This is a separate job for Firefox, IE, Chrome, Konqueror, Chromium (well, at least it might be sharable with Chrome), etc. with separate APIs to deal with.

Servlet send image from server and save in client

I'm new and just developing on J2EE.
I am modifying an existing application (an OpenSource project).
I need to save an image on a client sent by the server, but I do not know how.
This activity must be done in a transparent manner without affecting the existing operation of the application.
From the tests done I get this error:
java.lang.IllegalStateException: getWriter () has Already Been Called for this response.
How should carry out this task, according to your own opinion?
How do I save on the client, locally, the image?
Update:
Thanks for the answers.
My problem is that:
the image is generated on the server, but not for direct client request (there is no link to click on web page), the picture is composed using other services on the Internet.
reconstruct the image on the server.
This image must be sent to the client to be saved locally.
so I'd like it to appear a window where you assign the destination image
plus I'd like the rest of the application were not affected by this activity.
The application is yet on production.
Thank you very much for your response.
From the tests done I get this error: java.lang.IllegalStateException: getWriter () has Already Been Called for this response.
In other words, you were trying to mix the binary data of the image with the character data of the HTML output, or you were trying to do this in a JSP instead of a Servlet. This is indeed not going to work. You need to send either the image or the HTML page exclusively in response to fully separate requests.
In your JSP/HTML page just have a link to the image, like so:
click to download image
Then, in a servlet listening on an url-pattern of /imageservlet/*, you just get the image as InputStream from some datasource (e.g. from local disk file system as FileInputStream) and then write it to the OutputStream of the response the usual Java IO way.
You only need to set at least the Content-Disposition response header to attachment to make sure that the client get a Save As popup dialogue, else it will be displayed straight in the browser. Setting the Content-Type and Content-Length are also important so that the browser knows what the server is sending and can predict how long the download may take.
response.setHeader("Content-Type", getServletContext().getMimeType(file.getName()));
response.setHeader("Content-Length", String.valueOf(file.length()));
response.setHeader("Content-Disposition", "attachment;filename=\"" + file.getName() + "\"");
You can find complete basic servlet example in this article.
Note: you cannot control where the client would save the image, this would be a security hole. This way websites would be able to write malicious files on client's disk unaskingly.
Update: as per your update, there are two options:
You need to let the client itself fire two HTTP requests (I've answered this in your subsequent question)
Create a client side application which does all the task directly at the client side and then embed this in your webpage, for example a Java Applet. With an applet you have full control over the client environment. You can execute almost all Java code you'd like to execute and you can write files to disk directly without asking client for the location to save. You only need to sign the applet by a 3rd party company or the client needs to confirm a security warning before running.
Its up to the browser how all types of output are handled. Web pages are given a content type of html which the browser understands and ends up rendering ass a page that we can see. Images are given content type of image/jpeg etc which are rendered as images when in a page etc. To force a download prompt one needs to use a content type of a binary file rather than that of an image so the browser forces the download rather than shows the image. To ensure this use something like "application/octetstream"... i cant recall exactly but its easy to google for.

How can a bookmarklet access a Firefox extension (or vice versa)

I have written a Firefox extension that catches when a particular URL is entered and does some stuff. My main app launches Firefox with this URL. The URL contains sensitive information so I don't want it being stored in the history.
I'm concerned about the case where the extension is not installed. If its not installed and Firefox gets launched with the sensitive URL, it will get stored in history and there's nothing I can do about it. So my idea is to use a bookmarklet.
I will launch Firefox with "javascript:window.location.href='pleaseinstallthisplugin.html'; sensitiveinfo='blahblah'".
If the extension is not installed they will get redirected to a page that tells them to install it and the sensitive info won't get stored in the history. If the extension IS installed it will grab the information in the sensitiveinfo variable and do its thing.
My question is, can the bookmarklet call a method in the extension to pass the sensitive info (and if so, how) or can the extension catch when javascript is being called in the bookmarklet?
How can a bookmarklet and Firefox extension communicate?
p.s. The alternative means of getting around this situation would be for my main app to launch Firefox and communicate with the extension using sockets but I am loath to do that because I've run into too many issues over the years with users with crazy firewalls blocking socket communication. I'd like to do everything without sockets if possible.
As far as I know, bookmarklets can never access chrome files (extensions).
Bookmarklets are executed in the scope of the current document, which is almost always a content document. However, if you are passing it in via the command line, it seems to work:
/Applications/Namoroka.app/Contents/MacOS/firefox-bin javascript:alert\(Components\)
Accessing Components would throw if it was not allowed, but the alert displays the proper object.
You could use unsafeWindow to inject a global. You can add a mere property so that your bookmarklet only needs to detect whether the global is defined or not, but you should know that, as far as I know, there is no way to prohibit sites in a non-bookmarklet context from also sniffing for this same global (since it may be a privacy concern to some that sites can detect whether they are using the extension). I have confirmed in my own add-on which injects a global in a manner similar to that below that it does work in a bookmarklet as well as regular site context.
If you register an nsIObserver, e.g., where content-document-global-created is the topic, and then unwrap the subject, you can inject your global (see this if you need to inject something more sophisticated like an object with methods).
Here is some (untested) code which should do the trick:
var observerService = Cc['#mozilla.org/observer-service;1'].getService(Ci.nsIObserverService);
observerService.addObserver({observe: function (subject, topic, data) {
var unsafeWindow = XPCNativeWrapper.unwrap(subject);
unsafeWindow.myGlobal = true;
}}, 'content-document-global-created', false);
See this and this if you want an apparently easier way in an SDK add-on (not sure whether SDK postMessage communication would work as an alternative but with the apparently same concern that this would be exposed to non-bookmarklet contexts (i.e., regular websites) as well).

Resources