Firefox Extension : Stopping the page load when suspicious url found

Question

I am working on a simple firefox extension that tracks the url requested and call a web service at the background which detects whether the URL is suspicious or not and based on the result returned by the service, extension decides to stop the page load and alert the user about the case of forgery or whatever, and if user still wishes to go to that page he can get redirected to the original page he has requested for

I have added a http-on-modify-request observer

var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
observerService.addObserver(requestObserverListener.observe, "http-on-modify-request", false);

and the observer

var requestObserverListener = {observe: function (subject, topic, data) {

  //alert("Inside observe");
  if (topic == "http-on-modify-request") {
    subject.QueryInterface(Components.interfaces.nsIHttpChannel);
    var url = subject.URI.spec; //url being requested. you might want this for something else 
   //alert("inside modify request");

    var urlbarvalue = document.getElementById("urlbar").value;
    urlbarvalue = processUrl(urlbarvalue, url);
    //alert("url bar: "+urlbarvalue);
    //alert("url: "+url);
    document.getElementById("urlbar").style.backgroundColor = "white";
    if(urlbarvalue == url && url != "")
    {
        var browser = getWindowForRequest(subject);
        if (browser != null) {
           //alert(""+browser.contentDocument.body.innerHTML);
          alert("inside browser: "+url);
          getXmlHttpRequest(url);
        }
    }
  }

},
}

so when the URL in the URLbar and the requested url matches REST service will be called through ajax getXmlHttpRequest(url); method

now when i am running this extension call is made to the service but before the service return any response the page gets loaded which is not appropriate because user might enter his credentials in the meanwhile and get compromised

I want to first display user a warning message on the browser tab and if he still wanted to visit to that page he can then be redirected to that page on a link click in warning message window

Answer 1

I haven't tried this code out so I'm not sure that suspend and resume will work well but here's what I would try. You're working with an nsIRequest object as your subject so you can call subject.suspend() on it. From there use callbacks to your XHR call to either cancel() or resume() the nsIRequest.

Here's the relevant (untested) snippet of code. My XHR assumes some kind of promise .the() return but hopefully you understand the intention:

  if(urlbarvalue == url && url != "")
  {
      var browser = getWindowForRequest(subject);
      if (browser != null) {
        // suspend the pending request
        subject.suspend();
        getXmlHttpRequest(url).then(
                                    function success() { subject.resume(); },
                                    function failure() { subject.cancel(Components.results.NS_BINDING_ABORTED); });
      }
  }

Just some fair warning that you actually don't want to implement an add-on in this way.

It's going to be extremely slow to do a remote call for every HTTP request. The safe browsing module does a single call to download a database of sites considered 'unsafe', it then can quickly check the database against the HTTP request page such that it doesn't have to make individual calls every time.

Here's some more info on this kind of intercepting worth reading: https://developer.mozilla.org/en-US/docs/XUL/School_tutorial/Intercepting_Page_Loads#HTTP_Observers

Also I'd worry that your XHR request will actually loop because XHR calls creates an http-on-modify-request event so your code might actually check that your XHR request is valid before being able to check the current URL. You probably want a safety check for your URL checking domain.

And here's another stackoverflow similar question to yours that might be useful: How to block HTTP request on a particular tab?

Good luck!