WebRequest API not properly detecting all requests.

[Nate Tinkler]

I have been using the WebRequest API and I have discovered what appears to be inconsistent behavior.

I am unable to trigger the API while using certain google pages.  In this instance, I'm unable to catch certain PUT requests that are made on Google Drive.  However, the request properly shows up in the network developer tools of the page (please see the end of this post for the actual request details).

This request does not trigger the correct callbacks in the webrequest API.  I have checked the following callbacks, and none of them are called:

onBeforeRequest

onBeforeSendHeaders

onBeforeRedirect

onCompleted

onErrorOccurred

I'm aware of some of the standard caveats relating to the webrequest api.  At first I assumed that the pre-installed Google Docs extension might be manipulating the page in a way that prevented my extension from being able to see the request.  I disabled the extension and I'm still unable to see this request.

I also considered that maybe flash or another plugin was handling this request (although I'm not sure if it would show up in the devtools if that were the case) but after disabling all installed plugins (flash, silverlight, java, Google Talk, etc) with the exception of the NaCl plugin, which my extensions relies on, I'm still unable to see this request in the webrequest API.

Finally, I explicitly set the contentSettings for google drive to disallow any plugins from running on that page, and I still do not see the PUT request in the webrequest API.

I then created a sample page that used PUT requests to test if the webrequest API was catching them anywhere (they're fairly rare despite being the proper REST way to update resources with a known location) and I am able to catch PUT requests on my test page.

So given the above, is there anything I am missing that might be the cause of the webrequest API missing this request?  Any help with greatly appreciated, and if I'm missing something simple, please feel free to call me an idiot and point me in the direction of the documentation!

Request Overview:

This request can be generated in the following manner.  

1. Login to Google Drive.

2. Select an image file present in google drive (upload one if required)

3. Click the "Preview" button on the top right of the nav bar (image of an eye)

4. While in preview mode, select the Details button on the top right of the nav bar (Image of a lowercase i with a circle around it)

5. Click the "Edit Description" button on the right side of the page (pencil shape)

6. Enter a new description and press enter

Sample output on the network tab of the developer tools for the given page (I have removed a few request headers with Auth details).

-------------------------------------------------------------------------------------------

1. Remote Address:
   216.58.216.238:443
2. Request URL:
   https://clients6.google.com/drive/v2internal/files/0B9fS7R4TE5gmREh4YXZWOTk0YzA?fields=id%2Ckind,description&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4&alt=json
3. Request Method:
   PUT
4. Status Code:
   200 OK
1. Response Headers
1. access-control-allow-credentials:
   true
2. access-control-allow-origin:
   https://drive.google.com
3. access-control-expose-headers:
   Cache-Control,Content-Encoding,Content-Length,Content-Type,Date,Expires,Pragma,Server,Vary
4. alternate-protocol:
   443:quic,p=0.5
5. cache-control:
   no-cache, no-store, max-age=0, must-revalidate
6. content-encoding:
   gzip
7. content-length:
   99
8. content-type:
   application/json; charset=UTF-8
9. date:
   Tue, 31 Mar 2015 18:17:21 GMT
10. expires:
    Fri, 01 Jan 1990 00:00:00 GMT
11. pragma:
    no-cache
12. server:
    GSE
13. status:
    200
14. vary:
    X-Origin
15. vary:
    Origin
16. x-content-type-options:
    nosniff
17. x-frame-options:
    SAMEORIGIN
18. x-xss-protection:
    1; mode=block
2. Request Headers
1. :authority:
   clients6.google.com
2. :method:
   PUT
3. :path:
   /drive/v2internal/files/0B9fS7R4TE5gmREh4YXZWOTk0YzA?fields=id%2Ckind,description&key=AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4&alt=json
4. :scheme:
   https
5. accept:
   */*
6. accept-encoding:
   gzip, deflate, sdch
7. accept-language:
   en-US,en;q=0.8
8. cache-control:
   no-cache
9. content-length:
   22
10. content-type:
    application/json
11. origin:
    https://drive.google.com
12. pragma:
    no-cache
13. referer:
    https://drive.google.com/drive/
14. user-agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36
15. x-client-data:
    CJO2yQEIpLbJAQiptskBCMG2yQEI7YjKAQ==
16. x-clientdetails:
    appVersion=5.0%20(Macintosh%3B%20Intel%20Mac%20OS%20X%2010_9_5)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F41.0.2272.104%20Safari%2F537.36&platform=MacIntel&userAgent=Mozilla%2F5.0%20(Macintosh%3B%20Intel%20Mac%20OS%20X%2010_9_5)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F41.0.2272.104%20Safari%2F537.36
17. x-goog-authuser:
    0
18. x-javascript-user-agent:
    google-api-javascript-client/0.1
3. Query String Parametersview sourceview URL encoded
1. fields:
   id,kind,description
2. key:
   AIzaSyAy9VVXHSpS2IJpptzYtGbLP3-3_l0aBk4
3. alt:
   json
4. Request Payloadview source
1. {description: "test"}

   1. description: "test"

[Rob Wu]

Some URLs are not visible to the webRequest API. See the replies to an existing thread: https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/lJfiGYpnIq4/UrtzPLike78.

Kind regards,

 Rob

 https://robwu.nl

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/0d3487f5-5e7e-4078-83c0-61b8b9ead47d%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

[Nate Tinkler]

Hey Rob,

Thanks for posting a reply.  That certainly helps me understand the behavior.

Out of curiosity, I'm assuming that a request that updates a description on a comment in google drive is NOT considered sensitive as written in the comments of the code?

// Returns true if the URL is sensitive and requests to this URL must not be
// modified/canceled by extensions, e.g. because it is targeted to the webstore
// to check for updates, extension blacklisting, etc.

This request does none of those things...  Is this simply a case where this request getting caught is an unfortunate bug, and not an intentional blacklisting of only google products that are unrelated to security?

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.