Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing HTTP Response code does not work #198

Open
fossecode opened this issue Jan 12, 2021 · 19 comments
Open

Changing HTTP Response code does not work #198

fossecode opened this issue Jan 12, 2021 · 19 comments
Labels
p:1 type:bug

Comments

@fossecode
Copy link

Hi! First of all, awesome extension 馃挴 馃憤

I am however unable to modify the HTTP response code:
image
image
@sirdarckcat
Copy link
Member

It's possible it's a DevTools issue, but I'll add a test to confirm :-)

@sirdarckcat
Copy link
Member

yep, it's broken.

reproduced by going to: http://evilwebsite.com/shell.html and typing

(async x=>{print((await fetch("")).status)})()

changing from 200 to 201 returns 200

@sirdarckcat
Copy link
Member

The value flows from here:

tamperchrome/v2/background/src/request.ts

Line 89 in 1ad8700

modified.status = obj.status;

to here:

tamperchrome/v2/background/src/request.ts

Line 146 in 1ad8700

responseCode: response.status || this.status || 0,

and ends in https://chromedevtools.github.io/devtools-protocol/tot/Fetch/#method-fulfillRequest

weird :)

@sirdarckcat
Copy link
Member

traced it to the API call, and 201 is sent correctly, but the javascript code still sees value 200.
image

@sirdarckcat
Copy link
Member

Seems like Chrome recognizes the new status code, as it behaves differently when changing it from 200 to 302 (it only allows a Location redirect with 3XX and fails if the status is 200). It's probably a bug in Chrome.

@sirdarckcat
Copy link
Member

And it seems like Chrome doesn't look at the status of intercepted requests
https://source.chromium.org/chromium/chromium/src/+/master:content/browser/devtools/devtools_url_loader_interceptor.cc;l=1080;drc=63bc8056437ba6b1698c01e8f55e8fd187926640

There's an explicit check for head->headers->IsRedirect which explains why they make a difference.

Looking at how the url_fetcher gets the headers see why the status is different.

@sirdarckcat
Copy link
Member

sirdarckcat commented Jan 15, 2021
edited

my current theory is that the headers come from the response_info_ object, while the response code comes from the request_job https://source.chromium.org/chromium/chromium/src/+/master:net/url_request/url_fetcher_core.cc;l=423;drc=63bc8056437ba6b1698c01e8f55e8fd187926640

@sirdarckcat
Copy link
Member

this test seems to explain how the interception between devtools and the url req factory is done
https://source.chromium.org/chromium/chromium/src/+/master:services/network/url_loader_unittest.cc;l=4781;drc=69d394f9899f1f39911df8e50a9e3d86d25dc1a4

@sirdarckcat
Copy link
Member

so, networkserviceclient is the one that brokers the connection between the url_loader and devtools, it seems.
https://source.chromium.org/chromium/chromium/src/+/master:content/browser/network_service_client.cc;l=229;drc=d6edf4bb211798b0aa0b656dfb06614cfea043e3

@sirdarckcat
Copy link
Member

sirdarckcat commented Jan 15, 2021
edited

and here seems to be where things are overriden.
https://source.chromium.org/chromium/chromium/src/+/master:services/network/url_loader.cc;l=1622;drc=63bc8056437ba6b1698c01e8f55e8fd187926640

or actually here to be more accurate:
https://source.chromium.org/chromium/chromium/src/+/master:services/network/url_loader.cc;l=2010;drc=63bc8056437ba6b1698c01e8f55e8fd187926640

@sirdarckcat
Copy link
Member

mojo's documentation
https://source.chromium.org/chromium/chromium/src/+/master:services/network/public/mojom/network_context.mojom;l=185;drc=63bc8056437ba6b1698c01e8f55e8fd187926640

@sirdarckcat
Copy link
Member

looking at the behavior of webRequestBlocking - it appears that it gets modified at a different layer, here:
https://source.chromium.org/chromium/chromium/src/+/master:extensions/browser/api/web_request/web_request_proxying_url_loader_factory.cc;l=973;drc=63bc8056437ba6b1698c01e8f55e8fd187926640;bpv=1;bpt=1

@sirdarckcat
Copy link
Member

So, the two mojo services are:

The difference is explained here:

// Callback interface for NetworkContext when routing identifiers aren't
// available. Otherwise generally callbacks from the network service go on
// NetworkServiceClient.

@sirdarckcat
Copy link
Member

The request_info_ is reset here:
https://source.chromium.org/chromium/chromium/src/+/master:net/url_request/url_request.cc;l=886;drc=63bc8056437ba6b1698c01e8f55e8fd187926640;bpv=1;bpt=1

and the job is set here:
https://source.chromium.org/chromium/chromium/src/+/master:net/url_request/url_request.cc;l=611;drc=63bc8056437ba6b1698c01e8f55e8fd187926640;bpv=1;bpt=1

I'm not sure why this is done this way.

@sirdarckcat
Copy link
Member

will file a bug with chrome, with a small reproducer, and see if they can investigate

@michahell
Copy link

Dang... this is the one thing that I needed to work to fake/mock backend errors and it doesnt work 馃槩
but really nice tool nonetheless

@joaobibiano
Copy link

Hi guys,

There's something that I can help you with?

This feature seems to be amazing testing.

@sirdarckcat
Copy link
Member

it's complicated, it'll probably be easier to remove this feature from Tamper.dev (or restrict it to just the status code that have side effects - so, redirects)

@sirdarckcat
Copy link
Member

https://bugs.chromium.org/p/chromium/issues/detail?id=1275920

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
p:1 type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sirdarckcat @michahell @fossecode @joaobibiano