Home/ Questions/Q 7589629
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T20:12:31+00:00

I’m trying to learn extesion development for firefox for a few days. I’m trying

  • 0

I’m trying to learn extesion development for firefox for a few days. I’m trying to create something like RequestPolicy. But I’m in some trouble. What I want to do is making an extension, that disables cross-site requests. For now, I have coded something like this;

var httpRequestObserver = {
    observe : function(aSubject, aTopic, aData) {
    if (aTopic == "http-on-modify-request") {        

      var httpChannel = aSubject.QueryInterface(Components.interfaces.nsIHttpChannel);  

      var referrerHost = httpChannel.referrer.host;
      var requestedHost = httpChannel.originalURI.host;      
      var patt = new RegExp(referrerHost);

      if ( !(patt.test(requestedHost)) ) {
          alert("Referrer Host: "+referrerHost+" Requested Host: "+requestedHost+" is NOT SAME ");
      httpChannel.cancel(Components.results.NS_BINDING_ABORTED);
      }
    }
  } 
}


var observerService = Components.classes["@mozilla.org/observer-service;1"]
                                .getService(Components.interfaces.nsIObserverService);
observerService.addObserver(httpRequestObserver, "http-on-modify-request", false);

But, this code cancels all the requests while i just want to cancel ‘requestedHost’.
To make it clear; lets say we have a foo.com that uses an image from bar.com, when I use the code snippet above, the browser can’t open foo.com, what I want to do is, open the foo.com and just disable the img from bar.com.

Thanks in advance, and sorry for my decent English.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It isn’t quite clear what you are trying to achieve. According to your question you want this:

    • foo.com => bar.com: block
    • foo.com => foo.com: allow
    • foo.com => sub.foo.com: block
    • sub.foo.com => foo.com: block

    The correct check here would be extremely simple:

    if (referrerHost != requestHost) {
  httpChannel.cancel(Components.results.NS_BINDING_ABORTED);

    But I think that you most likely meant to allow communication within the same domain:

    • foo.com => bar.com: block
    • foo.com => foo.com: allow
    • foo.com => sub.foo.com: allow
    • sub.foo.com => foo.com: allow

    To properly determine the domain name you can use nsIEffectiveTLDService:

    var eTLDService = Components.classes["@mozilla.org/network/effective-tld-service;1"]
                  .getService(Components.interfaces.nsIEffectiveTLDService);
try
{
  var referrerDomain = eTLDService.getBaseDomain(httpChannel.referrer);
  var requestDomain = eTLDService.getBaseDomain(httpChannel.originalURI);
  if (referrerDomain != requestDomain)
    httpChannel.cancel(Components.results.NS_BINDING_ABORTED);
}
catch (e)
{
  Components.utils.reportError(e);
}

    But even here you would still have issues. Consider the user clicking a link on Google going to foo.com – the referrer of that request would be google.com while the requested domain would be foo.com, so your code would block it. I guess that you don’t want to block top-level requests but I doubt that you can distinguish them from an observer – you would need a progress listener or a content policy for that.

    Note: You can get the desired effect with the Adblock Plus extension by adding *$third-party filter. This filter is known to break lots of websites however – communication across domain boundaries is more common than one would expect.

    • 0