thinkahead
| resources: | Home Mailing List Installation Source Code Members Bugs Screenshots |
|---|
What's New
-
2010-03-30:
ThinkAhead Mozdev project created. -
2010-03-29:
ThinkAhead Add-on page created.
Links
ThinkAhead
Introduction
This is a small but potentially very useful hack add-on. It listens for HTTP requests and responses from Firefox. If any of those come from a page that contains a ThinkAhead block, the block is used to modify HTTP headers accordingly. In short, this allows for relatively hassle-free control of both incoming and outgoing HTTP headers by programmatic means, even when Javascript is disabled on the page in question.
Usage
ThinkAhead blocks are JSON-formatted, as follows:
<script type="application/json"> {
"thinkahead_ver": "1.04",
"matches": [
{
"urls": ["http://someurl", ...],
"regexurls": ["^.*someregex.*$", ...],
"request": {
"User-Agent": "Toaster", ...
},
"response": {
"Content-Disposition": "attachment; filename=foo.mp3", ...
}
}, ...
]
}
</script>
There may be zero or more such blocks in any page, and all are processed.
thinkahead_ver must be set to the current add-on version for
the block to be processed. matches is an array of match
objects containing target URL information and corresponding headers to
apply to any matches. urls contains a list of regular URLs to
check, and regexurls contains a list of regular expressions to
check. If any of these matches, the subsequent headers are applied to any
requests and responses. request and response are
objects containing header-value pairs to apply.
When a request or response is caught, the add-on checks for the presence of cached JSON parse results and regular expression objects in an internally stored property of the document. If no such cache exists, the document is parsed and the cache is created.
If you want to force the add-on to refresh the match cache (for instance, if you've dynamically added or removed a JSON block), you must create a separate JSON block that looks like this:
<script type="application/json" id="TA_Reset"/>
The next time that the add-on checks the cache, it will notice this tag, remove it, and regenerate the cache. This mechanism is necessary because DOM manipulation is the only reliable method of inter-script communication.
This add-on has been tested to play nicely with GreaseMonkey. The following code snippet demonstrates the dynamic addition of ThinkAhead blocks:
function ResetTA() {
var script = document.createElement('script');
script.type = 'application/json';
script.id = 'TA_Reset';
document.body.appendChild(script);
}
function AddTA(jsonstr) {
var script = document.createElement('script');
script.type = 'application/json';
script.textContent = jsonstr;
document.body.appendChild(script);
ResetTA(); // so that ThinkAhead looks for the new block
}
Since every HTTP request and response goes through this add-on, there is a release version to marginally decrease the (small) performance hit. This release version is set up to be compressed with the excellent Compressorrater. The release version also does not contain error console output. If you encounter a reproducible bug, please switch to the debug version and let me know. The debug version is not compressed, and has full console output.
Disclaimer
- This plugin has not been thoroughly tested. Your testing and feedback are highly appreciated!
- Other than basic JSON parsing, no verification is done to the metadata, so if you send a server some baloney headers and something catches fire, don't say I didn't warn you.
- Regarding security: header modification is performed on a per-URL, per-originating-document basis. This means that (for instance) a nasty page running in tab B cannot hijack any headers for HTTP transactions in tab A. That being said, if a page is vulnerable to XSS attacks, a malicious party could insert code that modifies headers to do all sorts of mean things, like redirecting to a bad URL, messing with your cookies, or showing a bogus WWW-Authenticate dialogue in the hope that the user provides a password. For these reasons, watch out for XSS or it can ruin your day.
Happy hacking!