Harmful API protections (#527)

* Add a utility function for overriding methods

* Add a utility function to wrap constructor descriptors

* Ignore empty objects in wrapper utils

* Remove unused utilities for now

* Auto-deny motion sensor permissions

* WIP add harmful-apis protection to the mv3 extension

* Throw an error in Sensor API

* Reduce entropy on UA Client Hints

* remove NetworkInformation API

* block navigator.getInstalledRelatedApps

* Remove File System Access API

* Mock Screen.isExtended

* More consistent naming

* Support WorkerNavigator in harmful API protection

* Make web bluetooth block cross-platform

* Auto-deny more permissions

* Make WebUSB platform-agnostic

* Move WebSerial block out of windows-specific code

* Move WebHID API from the windows code, and do not throw errors from it

* Move WebMIDI block out of windows code

* Remove Idle Detection API

* Remove Web NFC

* Filter some events from harmful APIs

* Filter storage quota estimate to reduce FP entropy

* Fix a linting error

* Post-rebase fix

* Use wrap functions in harmful API protections

* Filter events from some harmful APIs

* Ignore non-existing APIs

* Move permission filters into corresponding methods

* Add some comments for ContentFeature methods

* Make harmful API protections configurable

* Add utils for wrapping functions

* Remove dead code

* disallow overriding dom0 event handlers

* Workaround for xrays in firefox

* Move harmful api permissions tests

* Fix UA hints filter

* Add playwright tests for harmful APIs

* Fix WebBluetooth event filter

* HID.requestDevice should return a Promise

* Fix a race condition in the playwright test

* Use Reflect.apply instead of .call

* Linting error

* Enable harmful api tests for windows builds

* tweak gitignore

* Do not fail test when some hardware is unavailable

* Windows: fix an exception in insecure contexts

* Remove debug log

* Protect agains potential undefined feature config

* refactor the test structure

* re-enable windows permission tests

* lint fix

* Increase the bundle size threshold

* Add some docs for harmful API prtotection

* Change the harmful APIs config for consistency

* Fix docs generation (ContentFeature is not included in typedoc yet)

Author: muodov

.gitignore

@@ -2,6 +2,7 @@
 node_modules/
 .swiftpm
 .env
+.build/
 build/
 docs/
 test-results/

integration-test/playwright/harmful-apis.spec.js

@@ -0,0 +1,144 @@
+import { test, expect } from '@playwright/test'
+import { readFileSync } from 'fs'
+import { mockWindowsMessaging, wrapWindowsScripts } from '@duckduckgo/messaging/lib/test-utils.mjs'
+import { perPlatform } from './type-helpers.mjs'
+
+test('Harmful APIs protections', async ({ page }, testInfo) => {
+    const protection = HarmfulApisSpec.create(page, testInfo)
+    await protection.enabled()
+    const results = await protection.runTests();
+    // note that if protections are disabled, the browser will show a device selection pop-up, which will never be dismissed
+
+    [
+        'deviceOrientation',
+        'GenericSensor',
+        'UaClientHints',
+        'NetworkInformation',
+        'getInstalledRelatedApps',
+        'FileSystemAccess',
+        'WindowPlacement',
+        'WebBluetooth',
+        'WebUsb',
+        'WebSerial',
+        'WebHid',
+        'WebMidi',
+        'IdleDetection',
+        'WebNfc',
+        'StorageManager'
+    ].forEach((name) => {
+        for (const result of results[name]) {
+            expect(result.result).toEqual(result.expected)
+        }
+    })
+})
+
+export class HarmfulApisSpec {
+    htmlPage = '/harmful-apis/index.html'
+    config = './integration-test/test-pages/harmful-apis/config/apis.json'
+
+    /**
+     * @param {import("@playwright/test").Page} page
+     * @param {import("./type-helpers.mjs").Build} build
+     * @param {import("./type-helpers.mjs").PlatformInfo} platform
+     */
+    constructor (page, build, platform) {
+        this.page = page
+        this.build = build
+        this.platform = platform
+    }
+
+    async enabled () {
+        await this.installPolyfills()
+        const config = JSON.parse(readFileSync(this.config, 'utf8'))
+        await this.setup({ config })
+        await this.page.goto(this.htmlPage)
+    }
+
+    async runTests () {
+        for (const button of await this.page.getByTestId('user-gesture-button').all()) {
+            await button.click()
+        }
+        const resultsPromise = this.page.evaluate(() => {
+            return new Promise(resolve => {
+                window.addEventListener('results-ready', () => {
+                    // @ts-expect-error - this is added by the test framework
+                    resolve(window.results)
+                })
+            })
+        })
+        await this.page.getByTestId('render-results').click()
+        return await resultsPromise
+    }
+
+    /**
+     * In CI, the global objects such as USB might not be installed on the
+     * version of chromium running there.
+     */
+    async installPolyfills () {
+        await this.page.addInitScript(() => {
+            // @ts-expect-error - testing
+            if (typeof Bluetooth === 'undefined') {
+                globalThis.Bluetooth = {}
+                globalThis.Bluetooth.prototype = { requestDevice: async () => { /* noop */ } }
+            }
+            // @ts-expect-error - testing
+            if (typeof USB === 'undefined') {
+                globalThis.USB = {}
+                globalThis.USB.prototype = { requestDevice: async () => { /* noop */ } }
+            }
+
+            // @ts-expect-error - testing
+            if (typeof Serial === 'undefined') {
+                globalThis.Serial = {}
+                globalThis.Serial.prototype = { requestPort: async () => { /* noop */ } }
+            }
+            // @ts-expect-error - testing
+            if (typeof HID === 'undefined') {
+                globalThis.HID = {}
+                globalThis.HID.prototype = { requestDevice: async () => { /* noop */ } }
+            }
+        })
+    }
+
+    /**
+     * @param {object} params
+     * @param {Record<string, any>} params.config
+     * @return {Promise<void>}
+     */
+    async setup (params) {
+        const { config } = params
+
+        // read the built file from disk and do replacements
+        const injectedJS = wrapWindowsScripts(this.build.artifact, {
+            $CONTENT_SCOPE$: config,
+            $USER_UNPROTECTED_DOMAINS$: [],
+            $USER_PREFERENCES$: {
+                platform: { name: 'windows' },
+                debug: true
+            }
+        })
+
+        await this.page.addInitScript(mockWindowsMessaging, {
+            messagingContext: {
+                env: 'development',
+                context: 'contentScopeScripts',
+                featureName: 'n/a'
+            },
+            responses: {}
+        })
+
+        // attach the JS
+        await this.page.addInitScript(injectedJS)
+    }
+
+    /**
+     * Helper for creating an instance per platform
+     * @param {import("@playwright/test").Page} page
+     * @param {import("@playwright/test").TestInfo} testInfo
+     */
+    static create (page, testInfo) {
+        // Read the configuration object to determine which platform we're testing against
+        const { platformInfo, build } = perPlatform(testInfo.project.use)
+        return new HarmfulApisSpec(page, build, platformInfo)
+    }
+}

integration-test/playwright/windows-permissions.spec.js

@@ -31,42 +31,11 @@ export class WindowsPermissionsSpec {
     }
 
     async enabled () {
-        await this.installPolyfills()
         const config = JSON.parse(readFileSync(this.config, 'utf8'))
         await this.setup({ config })
         await this.page.goto(this.htmlPage)
     }
 
-    /**
-     * In CI, the global objects such as USB might not be installed on the
-     * version of chromium running there.
-     */
-    async installPolyfills () {
-        await this.page.addInitScript(() => {
-            // @ts-expect-error - testing
-            if (typeof Bluetooth === 'undefined') {
-                globalThis.Bluetooth = {}
-                globalThis.Bluetooth.prototype = { requestDevice: async () => { /* noop */ } }
-            }
-            // @ts-expect-error - testing
-            if (typeof USB === 'undefined') {
-                globalThis.USB = {}
-                globalThis.USB.prototype = { requestDevice: async () => { /* noop */ } }
-            }
-
-            // @ts-expect-error - testing
-            if (typeof Serial === 'undefined') {
-                globalThis.Serial = {}
-                globalThis.Serial.prototype = { requestPort: async () => { /* noop */ } }
-            }
-            // @ts-expect-error - testing
-            if (typeof HID === 'undefined') {
-                globalThis.HID = {}
-                globalThis.HID.prototype = { requestDevice: async () => { /* noop */ } }
-            }
-        })
-    }
-
     /**
      * @param {object} params
      * @param {Record<string, any>} params.config

integration-test/test-pages/harmful-apis/config/apis.json

@@ -0,0 +1,93 @@
+{
+  "unprotectedTemporary": [],
+  "features": {
+    "harmfulApis": {
+      "state": "enabled",
+      "settings": {
+        "deviceOrientation": {
+          "state": "enabled",
+          "filterEvents": ["deviceorientation", "devicemotion"]
+        },
+        "GenericSensor": {
+          "state": "enabled",
+          "filterPermissions": [
+            "accelerometer",
+            "ambient-light-sensor",
+            "gyroscope",
+            "magnetometer"
+          ],
+          "blockSensorStart": true
+        },
+        "UaClientHints": {
+          "state": "enabled",
+          "highEntropyValues": {
+            "trimBrands": true,
+            "trimPlatformVersion": 2,
+            "trimUaFullVersion": 1,
+            "trimFullVersionList": 1,
+            "model": "overridden-model",
+            "architecture": "overridden-architecture",
+            "bitness": "overridden-bitness",
+            "platform": "overridden-platform",
+            "mobile": "overridden-mobile"
+          }
+        },
+        "NetworkInformation": {
+          "state": "enabled"
+        },
+        "getInstalledRelatedApps": {
+          "state": "enabled",
+          "returnValue": ["overridden-return-value"]
+        },
+        "FileSystemAccess": {
+          "state": "enabled",
+          "disableOpenFilePicker": true,
+          "disableSaveFilePicker": true,
+          "disableDirectoryPicker": true,
+          "disableGetAsFileSystemHandle": true
+        },
+        "WindowPlacement": {
+          "state": "enabled",
+          "filterPermissions": ["window-placement", "window-management"],
+          "screenIsExtended": true
+        },
+        "WebBluetooth": {
+          "state": "enabled",
+          "filterPermissions": ["bluetooth"],
+          "filterEvents": ["availabilitychanged"],
+          "blockGetAvailability": true,
+          "blockRequestDevice": true
+        },
+        "WebUsb": {
+          "state": "enabled"
+        },
+        "WebSerial": {
+          "state": "enabled"
+        },
+        "WebHid": {
+          "state": "enabled"
+        },
+        "WebMidi": {
+          "state": "enabled",
+          "filterPermissions": ["midi"]
+        },
+        "IdleDetection": {
+          "state": "enabled",
+          "filterPermissions": ["idle-detection"]
+        },
+        "WebNfc": {
+          "state": "enabled",
+          "disableNdefReader": true,
+          "disableNdefMessage": true,
+          "disableNdefRecord": true
+        },
+        "StorageManager": {
+          "state": "enabled",
+          "allowedQuotaValues": [1337]
+        },
+        "domains": []
+      },
+      "exceptions": []
+    }
+  }
+}