The following code snippet works fine on standard POST requests. But on any type of site login only, the read call below just hangs and never comes back. If I put read in an exception block, no exception is ever thrown, it just never returns:
if(httpChannel.requestMethod == "POST") {
channel.QueryInterface(Ci.nsIUploadChannel);
var instream = Cc["@mozilla.org/scriptableinputstream;1"].createInstance(Ci.nsIScriptableInputStream);
instream.init(channel.uploadStream);
var post_data = instream.read(instream.available());
...
And on these logins, instream.available() is actually returning the correct number of bytes available in the POST data. And actually that POST data if viewed in something like Burp looks perfectly normal (actually plain text for the password, etc as it hasn't gone out yet.) Once again, if its not a login, it work fine. Shouldn't just hang in any case. I of course googled nsIScriptableInputStream read login.
Complete code:
/* Any copyright is dedicated to the Public Domain.
* http://creativecommons.org/publicdomain/zero/1.0/ */
//"use strict";
const EXPORTED_SYMBOLS = ['HttpRequestObserver'];
const {Cc, Ci, Cu} = require('chrome');
const module = Cu.import;
const error = Cu.reportError;
module("resource://gre/modules/XPCOMUtils.jsm");
module("resource://gre/modules/Services.jsm");
function HttpRequestObserver() {
this._init();
}
HttpRequestObserver.prototype = {
QueryInterface: XPCOMUtils.generateQI([Ci.nsIObserver, Ci.nsISupportsWeakReference, Ci.nsIWeakReference]),
QueryReferent: function(iid) this.QueryInterface(iid),
GetWeakReference: function() this,
_init: function _init() {
Services.obs.addObserver(this, 'xpcom-shutdown', true);
Services.obs.addObserver(this, 'http-on-modify-request', true);
},
_uninit: function _uninit() {
Services.obs.removeObserver(this, 'http-on-modify-request');
Services.obs.removeObserver(this, 'xpcom-shutdown');
},
observe: function observe(subject, topic, data) {
switch(topic) {
case 'xpcom-shutdown':
this._uninit();
break;
case 'http-on-modify-request':
this.observeRequest(subject, topic, data);
break;
}
},
observeRequest: function observeRequest(channel, topic, data) {
if (!(channel instanceof Ci.nsIHttpChannel)) return;
var httpChannel = channel.QueryInterface(Ci.nsIHttpChannel);
//error("Request: " + channel.requestMethod + ": " + channel.URI.spec);
if(httpChannel.requestMethod == "POST") {
channel.QueryInterface(Ci.nsIUploadChannel);
var instream = Cc["@mozilla.org/scriptableinputstream;1"].createInstance(Ci.nsIScriptableInputStream);
instream.init(channel.uploadStream);
var post_data = instream.read(instream.available());
post_data = post_data.replace(/= *%2344\+Font.+KrazyKool[^&]+/m,"=No+Flash+or+Java+fonts+detected");
var inputStream =
Cc["@mozilla.org/io/string-input-stream;1"].createInstance(Ci.nsIStringInputStream);
inputStream.setData(post_data, post_data.length);
var contentType = httpChannel.getRequestHeader("Content-Type");
channel.setUploadStream(inputStream, contentType, -1);
httpChannel.requestMethod = "POST";
//channel.uploadStream.QueryInterface(Ci.nsISeekableStream);
//channel.uploadStream.seek(0,0);
}
},
};
HttpRequestObserver = new HttpRequestObserver();
Note: The regex is just looking for my system fonts in a post parameter and overwrites them with the message "No Flash or Java fonts detected" which actually prevents panopticlick from fingerprinting on my system fonts. May be pointless, as I guess anything fingerprinting on that in reality wouldn't send back the actual font list. But aside from that, the above code is a template for altering post parameters. But as stated, just goes into neverland if the post parameters are login parameters.
The Firefox addon "Tamper Data" displays the post data for logins without problem. The source code for any Firefox addon is readily available, so I am looking at their source now. To get the source for an add on, go to Mozilla Add Ons, type Tamper Data in the search bar (in this instance), and instead of clicking to install, right click to to save the link, which is the xpi file for the add on. That file is actually a zip, so unzip it and it will contain among other things a .jar (java) file which as it happens is also a zip file. Unzip that and it will contain your js code for the Tamper Data add on.
Everything is in the tamperdata.js file which I'm still deciphering now. It's doing the same sort of thing as my code, but not exactly the same needless to say, as it works. The file isn't tied to their interface apparently, so I could just plug it into my code.