Is it bug of allowAllRequests?

107 views
Skip to first unread message

Maxim Topciu

unread,
May 28, 2024, 1:14:21 PMMay 28
to Chromium Extensions
I'm experimenting with allowlisting rules. Maybe I missed something in the documentation (https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest#type-RuleActionType), but can someone explain why the allowAllRequests rule doesn't unblock stylesheet requests sent within the main frame? Is it a bug or what?

Here is an extension with a minimal reproducible example: https://github.com/maximtop/test-allow-all-requests

To test it:
1. Install the extension.
2. Visit https://www.iana.org/

Interestingly, allowAllRequests can unblock requests if I use urlFilter instead of initiatorDomains.

woxxom

unread,
May 28, 2024, 2:09:55 PMMay 28
to Chromium Extensions, Maxim Topciu
AFAICT, in #1 initiatorDomains applies to child requests made by the initiator, it doesn't include the request that creates the initiator itself. You can use requestDomains to list multiple domains if necessary. In #2 urlFilter matches the frame of iana.org and so the rule applies.

Maxim Topciu

unread,
May 29, 2024, 5:06:47 AMMay 29
to Chromium Extensions, woxxom, Maxim Topciu
> AFAICT, in #1 initiatorDomains applies to child requests made by the initiator, it doesn't include the request that creates the initiator itself.

You mean that the request to CSS styles is a request used to create the initiator, which is why it is not allowlisted? If that's the case, it is not clear why requests to stylesheets are blocked if I use `initiatorDomains` in the block rules, like this one (here is an example from the documentation: https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest#build-rules):

```javascript
const blockRule = {
    id: 103,
    priority: 2,
    action: { type: "block" },
    condition: {
        initiatorDomains: ["iana.org"],
        resourceTypes: ["stylesheet"]
    }
};
```

Additionally, the developer tools indicate that `iana.org` is the initiator domain, which is confusing if it does not mean what it should:
Image_2024-05-29_11-29-15.png


> You can use requestDomains to list multiple domains if necessary.

This won't help if I want to allowlist all requests sent from one website only, since the extension wouldn't know all possible requests that could be made by the website.

It can be solved with `allow` like this:

```javascript
const allowRule = {
    id: 102,
    priority: 2,
    action: { type: "allow" },
    condition: {
        initiatorDomains: ["meduza.io"],
        isUrlFilterCaseSensitive: false,
        resourceTypes: ["main_frame", "sub_frame", "stylesheet", "script", "image", "font", "xmlhttprequest", "media", "other"]
    }
};

const blockRule = {
    id: 103,
    priority: 2,
    action: { type: "block" },
    condition: {
        urlFilter: "polyfill.io",
        isUrlFilterCaseSensitive: false,
    }
};
```

In this case, requests to `polyfill.io` sent from `meduza.io` won't be blocked by the blocking rule. However, it is still unclear what the use case for allowAllRequests is.

Furthermore, the `allow` rule doesn't unblock the `main_frame` if it was blocked by `urlFilter`. To allowlist one website, we would need to add two declarative rules: one with `initiatorDomains` and another with `urlFilter` to unblock the `main_frame` only. This is strange, as I thought `allowAllRequests` was intended for this purpose.

woxxom

unread,
May 29, 2024, 5:49:17 AMMay 29
to Chromium Extensions, Maxim Topciu, woxxom
I'm not good at explaining, apparently, so bear with me.

>  You mean that the request to CSS styles is a request used to create the initiator, which is why it is not allowlisted? 

No. The initiator of a request is the already existing document that makes the request. Apparently you expect initiatorDomains to match the request that creates the document itself. However this is not always true and depends on how the page was opened/navigated, AFAIK. In other words, the first request (the initial request) for the URL of the page with HTML in response is what creates the document and it's not necessarily initiator.

It means that your allowAllRequestsRule in the repo looks at child requests for main_frame or sub_frame made in an already existing document iana.org, it doesn't look at the first request that created iana.org itself.

>  If that's the case, it is not clear why requests to stylesheets are blocked if I use `initiatorDomains` in the block rules, like this one

This rule looks at stylesheet requests sent from an existing iana.org document and blocks them.

> Additionally, the developer tools indicate that `iana.org` is the initiator domain

Yes, for resources within the document the initiator is the document itself.

> This won't help if I want to allowlist all requests sent from one website only

It helps because when you use allowAllRequests it matches the document's request, not the child requests, so requestDomains allows all requests on the listed domains.

        condition: {
            requestDomains: ["iana.org"],
            resourceTypes: ["main_frame", "sub_frame"]
        }

Maxim Topciu

unread,
May 29, 2024, 8:02:01 AMMay 29
to Chromium Extensions, woxxom, Maxim Topciu
> It helps because when you use allowAllRequests it matches the document's request, not the child requests, so requestDomains allows all requests on the listed domains.

```javascript

condition: {
    requestDomains: ["iana.org"],
    resourceTypes: ["main_frame", "sub_frame"]
}
```

Indeed, although it’s quite unintuitive, it works. It even handles cases where I want to apply blocking rules only to one website and allowlist another. Thank you very much for your help and explanations.

woxxom

unread,
May 29, 2024, 8:51:14 AMMay 29
to Chromium Extensions, Maxim Topciu, woxxom
The documentation should probably mention this:
  1. allowAllRequests's target is the owner document (page or frame for which we allow all requests) and not the resource inside that target document
  2. allowAllRequests + initiatorDomains would make sense primarily to target iframes embedded inside a document listed in initiatorDomains and that these iframes can be filtered via requestDomains or urlFilter, regexFilter, headers (soon)
  3. initiator is always the owning document for a resource inside this document
  4. initiator may be something different for the request that creates the document itself + examples
Reply all
Reply to author
Forward
0 new messages