Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intercept / modify network traffic #30

Open
muodov opened this issue Aug 2, 2022 · 2 comments
Open

Intercept / modify network traffic #30

muodov opened this issue Aug 2, 2022 · 2 comments
Labels
Agenda+ use case

Comments

@muodov
Copy link
Contributor

muodov commented Aug 2, 2022

Intercept / modify network traffic

Submitter(s)

Maxim Tsoy, DuckDuckGo

Motivation

Some possible applications were described in this comment by @Token-LiMing. I'm listing them here without details:

  • Parental control
  • Access control
  • Security firewall
  • Web caching
  • Transcoding data
  • Privacy filter

From the DDG perspective, the Privacy angle is the most important. In our apps, we use this data to strip potentially sensitive data from HTTP traffic:

  • we need to block tracking requests
  • we need to inject headers, such as Sec-GPC for Global Privacy Control
  • sometimes we need to remove or rewrite headers, e.g. User-Agent, Referer and Client Hints
  • some more complex protections may require modifying/replacing the HTTP responses

A separate issue is the ability to control DNS resolution. We would like to implement DNS-over-HTTPS, which is difficult in the current implementations.

Stakeholders

WebView vendors, app developers

Analysis

By now, we've looked at Android WebView, Apple's WKWebView, and MSFT's WebView2. There are currently various limitations that block . For example:

  • Apple WKWebView and Android WebView:
    • do not allow injecting headers in existing requests (instead you need to cancel the request and create a new one with the header). This causes a few usability problems.
    • subrequests (resources) cannot be modified
  • In WKWebView it's not currently possible to monitor response headers for all requests. This in particular prevents us from proper handling of business's response to GPC opt-out signals
  • MSFT WebView2 provides a handy WebResourceRequested that allows injecting headers

Related W3C deliverables and/or work items

How is the issue solved in the Browser, and what’s more is needed?

Web extensions have the ability to modify/block the requests: webRequest API, declarativeNetRequest API
@muodov muodov mentioned this issue Aug 22, 2022
Open
@QingAn
Copy link
Contributor

QingAn commented Aug 23, 2022

As discussed in 2022-08-23 meeting, please help to add summary for Android and iOS @NiklasMerz, and complete for WebView2 @aluhrs13

@NiklasMerz
Copy link
Member

I'm not sure if there are other ways of intercepting webview request but on Android I used an API called WebViewAssetLoader and on iOS there is WKURLSchemeHandler.

WKURLSchemeHandler is quite powerful as you can declare a custom scheme like myapp://proxy. Every requests that gets sent to this scheme can be handled in native code and therefore you can make a new HTTP request and set headers etc. as you want. You can even sync cookies between the native request and the WebView.

WebViewAssetLoader is intended for loading local assets as the name suggests. You can use it to make native requests as well but you only have limited access to the request from the WebView. I only managed to make GET requests in some experiments.

Those two APIs offer some capabilities that you can use to intercept requests to certain origins. But they are not really intended for that and it's more of a workaround.

Maybe someone knows other existing APIs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Agenda+ use case
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@muodov @NiklasMerz @QingAn