CORS check in inspectortools (#10287)

* CORS check in inspectortools

* Do not build the websocket inspector thing on wasm?

* Move wasm inspector files

* Fix header

* Remove nice c++20 features we can't use

* oops

* format

src/CMakeLists.txt

@@ -40,8 +40,11 @@ elseif(${CMAKE_SYSTEM_NAME} STREQUAL "Emscripten")
     set(MZ_PLATFORM_NAME "wasm")
 endif()
 
+
+
 include(cmake/shared-sources.cmake)
 include(cmake/sources.cmake)
+add_subdirectory(inspector)
 
 target_link_libraries(mozillavpn PRIVATE
     shared-sources

src/cmake/shared-sources.cmake

@@ -108,18 +108,6 @@ target_sources(shared-sources INTERFACE
     ${CMAKE_SOURCE_DIR}/src/hawkauth.h
     ${CMAKE_SOURCE_DIR}/src/hkdf.cpp
     ${CMAKE_SOURCE_DIR}/src/hkdf.h
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorhandler.cpp
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorhandler.h
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorhotreloader.cpp
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorhotreloader.h
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectoritempicker.cpp
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectoritempicker.h
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorutils.cpp
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorutils.h
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorwebsocketconnection.cpp
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorwebsocketconnection.h
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorwebsocketserver.cpp
-    ${CMAKE_SOURCE_DIR}/src/inspector/inspectorwebsocketserver.h
     ${CMAKE_SOURCE_DIR}/src/ipaddress.cpp
     ${CMAKE_SOURCE_DIR}/src/ipaddress.h
     ${CMAKE_SOURCE_DIR}/src/itempicker.cpp

src/cmake/wasm.cmake

@@ -15,8 +15,6 @@ target_sources(mozillavpn PRIVATE
      ${CMAKE_CURRENT_SOURCE_DIR}/platforms/wasm/wasmwindowcontroller.h
      ${CMAKE_CURRENT_SOURCE_DIR}/platforms/wasm/wasmiaphandler.cpp
      ${CMAKE_CURRENT_SOURCE_DIR}/platforms/wasm/wasmiaphandler.h
-     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/wasm/wasminspector.cpp
-     ${CMAKE_CURRENT_SOURCE_DIR}/platforms/wasm/wasminspector.h
      ${CMAKE_CURRENT_SOURCE_DIR}/systemtraynotificationhandler.cpp
      ${CMAKE_CURRENT_SOURCE_DIR}/systemtraynotificationhandler.h
      ${CMAKE_CURRENT_SOURCE_DIR}/tasks/purchase/taskpurchase.cpp

src/inspector/CMakeLists.txt

@@ -0,0 +1,29 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+target_sources(shared-sources INTERFACE
+        inspectorhandler.cpp
+        inspectorhandler.h
+        inspectorhotreloader.h
+        inspectorhotreloader.cpp
+        inspectoritempicker.h
+        inspectoritempicker.cpp
+        inspectorutils.h
+        inspectorutils.cpp   
+)
+
+if(${MZ_PLATFORM_NAME} STREQUAL "wasm")
+    target_sources(shared-sources INTERFACE
+        wasminspector.cpp
+        wasminspector.h
+    )
+    else()
+    target_sources(shared-sources INTERFACE
+        inspectorwebsocketconnection.cpp
+        inspectorwebsocketconnection.h
+        inspectorwebsocketserver.h
+        inspectorwebsocketserver.cpp    
+    )
+endif()

src/inspector/inspectorhandler.cpp

@@ -48,7 +48,7 @@
 #include "utils.h"
 
 #ifdef MZ_WASM
-#  include "platforms/wasm/wasminspector.h"
+#  include "wasminspector.h"
 #else
 #  include <QCoreApplication>
 

src/inspector/inspectorwebsocketserver.cpp

@@ -5,15 +5,23 @@
 #include "inspectorwebsocketserver.h"
 
 #include <QHostAddress>
+#include <QStringView>
 #include <QWebSocket>
+#include <QWebSocketCorsAuthenticator>
+#include <algorithm>
+#include <array>
 
 #include "inspectorwebsocketconnection.h"
 #include "leakdetector.h"
 #include "logger.h"
 
 namespace {
 Logger logger("InspectorWebSocketServer");
-}
+
+static constexpr std::array<QStringView, 1> ALLOWED_ORIGINS = {
+    u"https://mozilla-mobile.github.io"};
+
+}  // namespace
 
 constexpr int INSPECT_PORT = 8765;
 
@@ -27,6 +35,18 @@ InspectorWebSocketServer::InspectorWebSocketServer(QObject* parent)
     logger.error() << "Failed to listen on port" << INSPECT_PORT;
     return;
   }
+  connect(this, &QWebSocketServer::originAuthenticationRequired,
+          [](QWebSocketCorsAuthenticator* authMgr) {
+            auto const origin = authMgr->origin();
+            for (uint i = 0; i < ALLOWED_ORIGINS.size(); i++) {
+              if (ALLOWED_ORIGINS.at(i) == origin) {
+                authMgr->setAllowed(true);
+                return;
+              }
+            }
+            logger.error() << "Rejecting Websocket Connection from: " << origin;
+            authMgr->setAllowed(false);
+          });
 
   connect(this, &InspectorWebSocketServer::newConnection, this,
           &InspectorWebSocketServer::newConnectionReceived);

tests/functional/helperWS.js

@@ -9,7 +9,7 @@ let client;
 module.exports = {
   async connect(options, onopen, onclose, onmessage) {
     return await new Promise(resolve => {
-      client = new websocket(`ws://${options.hostname}:8765/`, '');
+      client = new websocket(`ws://${options.hostname}:8765/`, '', 'https://mozilla-mobile.github.io');
 
       client.onopen = async () => {
         await onopen();

tools/qml_hot_reload/hot.js

@@ -40,7 +40,9 @@
   if (options.adb === true) {
     await forwardADBPorts();
   }
-  const websocket = new WebSocket(ws_url);
+  const websocket = new WebSocket(ws_url, {
+    origin: "https://mozilla-mobile.github.io"
+  });
   console.log(`Connecting to Client at ${ws_url}`);
 
   websocket.on("open", function () {