@mywallpaper/addon-sdk 2.6.1 → 2.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/index.d.mts +147 -2
- package/dist/index.d.ts +147 -2
- package/dist/index.js.map +1 -1
- package/dist/index.mjs.map +1 -1
- package/dist/manifest.d.mts +147 -2
- package/dist/manifest.d.ts +147 -2
- package/dist/manifest.js.map +1 -1
- package/dist/manifest.mjs.map +1 -1
- package/package.json +2 -1
- package/src/runtime/addon-client.js +627 -0
- package/src/runtime/network-sandbox.js +153 -0
|
@@ -0,0 +1,153 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Network Sandbox Script - SECURITY LAYER
|
|
3
|
+
*
|
|
4
|
+
* This script MUST be injected FIRST (before addon-client.js)
|
|
5
|
+
* It saves original fetch/XHR for the SDK, then blocks them for addon code.
|
|
6
|
+
*
|
|
7
|
+
* Flow:
|
|
8
|
+
* 1. Save original fetch/XMLHttpRequest to __MYWALLPAPER_ORIGINAL_*
|
|
9
|
+
* 2. After addon-client.js loads, it will use these for the proxy
|
|
10
|
+
* 3. Replace window.fetch and XMLHttpRequest with blocked versions
|
|
11
|
+
* 4. Addon code must use MyWallpaper.network.fetch() instead
|
|
12
|
+
*/
|
|
13
|
+
;(function() {
|
|
14
|
+
'use strict';
|
|
15
|
+
|
|
16
|
+
// ============================================================================
|
|
17
|
+
// STEP 1: Save original network APIs for SDK internal use
|
|
18
|
+
// ============================================================================
|
|
19
|
+
|
|
20
|
+
// These will be used by the SDK's network proxy
|
|
21
|
+
window.__MYWALLPAPER_ORIGINAL_FETCH__ = window.fetch;
|
|
22
|
+
window.__MYWALLPAPER_ORIGINAL_XHR__ = window.XMLHttpRequest;
|
|
23
|
+
|
|
24
|
+
// ============================================================================
|
|
25
|
+
// STEP 2: Create blocked versions with helpful error messages
|
|
26
|
+
// ============================================================================
|
|
27
|
+
|
|
28
|
+
const BLOCKED_MESSAGE =
|
|
29
|
+
'[MyWallpaper Security] Direct network access is blocked for security.\n' +
|
|
30
|
+
'Use window.MyWallpaper.network.fetch(url, options) instead.\n\n' +
|
|
31
|
+
'Example:\n' +
|
|
32
|
+
' const response = await MyWallpaper.network.fetch("https://api.example.com/data");\n' +
|
|
33
|
+
' if (response.ok) console.log(response.data);\n\n' +
|
|
34
|
+
'Make sure your domain is declared in manifest.json:\n' +
|
|
35
|
+
' "permissions": { "network": { "domains": ["api.example.com"] } }';
|
|
36
|
+
|
|
37
|
+
// Blocked fetch function
|
|
38
|
+
function blockedFetch() {
|
|
39
|
+
console.error(BLOCKED_MESSAGE);
|
|
40
|
+
return Promise.reject(new Error(BLOCKED_MESSAGE));
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
// Blocked XMLHttpRequest class
|
|
44
|
+
class BlockedXMLHttpRequest {
|
|
45
|
+
constructor() {
|
|
46
|
+
console.error(BLOCKED_MESSAGE);
|
|
47
|
+
throw new Error(BLOCKED_MESSAGE);
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
// Make BlockedXMLHttpRequest look like the real XMLHttpRequest
|
|
52
|
+
Object.defineProperties(BlockedXMLHttpRequest, {
|
|
53
|
+
UNSENT: { value: 0 },
|
|
54
|
+
OPENED: { value: 1 },
|
|
55
|
+
HEADERS_RECEIVED: { value: 2 },
|
|
56
|
+
LOADING: { value: 3 },
|
|
57
|
+
DONE: { value: 4 },
|
|
58
|
+
});
|
|
59
|
+
|
|
60
|
+
// ============================================================================
|
|
61
|
+
// STEP 3: Replace global APIs with blocked versions
|
|
62
|
+
// ============================================================================
|
|
63
|
+
|
|
64
|
+
// Override fetch - make it non-configurable to prevent bypass attempts
|
|
65
|
+
Object.defineProperty(window, 'fetch', {
|
|
66
|
+
value: blockedFetch,
|
|
67
|
+
writable: false,
|
|
68
|
+
configurable: false,
|
|
69
|
+
enumerable: true
|
|
70
|
+
});
|
|
71
|
+
|
|
72
|
+
// Override XMLHttpRequest - make it non-configurable
|
|
73
|
+
Object.defineProperty(window, 'XMLHttpRequest', {
|
|
74
|
+
value: BlockedXMLHttpRequest,
|
|
75
|
+
writable: false,
|
|
76
|
+
configurable: false,
|
|
77
|
+
enumerable: true
|
|
78
|
+
});
|
|
79
|
+
|
|
80
|
+
// ============================================================================
|
|
81
|
+
// STEP 4: Also block in common bypass locations
|
|
82
|
+
// ============================================================================
|
|
83
|
+
|
|
84
|
+
// Block on globalThis (modern JS)
|
|
85
|
+
if (typeof globalThis !== 'undefined' && globalThis !== window) {
|
|
86
|
+
try {
|
|
87
|
+
Object.defineProperty(globalThis, 'fetch', {
|
|
88
|
+
value: blockedFetch,
|
|
89
|
+
writable: false,
|
|
90
|
+
configurable: false
|
|
91
|
+
});
|
|
92
|
+
Object.defineProperty(globalThis, 'XMLHttpRequest', {
|
|
93
|
+
value: BlockedXMLHttpRequest,
|
|
94
|
+
writable: false,
|
|
95
|
+
configurable: false
|
|
96
|
+
});
|
|
97
|
+
} catch (e) {
|
|
98
|
+
// Ignore if already defined
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
|
|
102
|
+
// Prevent restoration via prototype manipulation
|
|
103
|
+
try {
|
|
104
|
+
Object.freeze(Object.getPrototypeOf(blockedFetch));
|
|
105
|
+
} catch (e) {
|
|
106
|
+
// Ignore
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
// ============================================================================
|
|
110
|
+
// STEP 5: Block EventSource and WebSocket (optional - for future)
|
|
111
|
+
// ============================================================================
|
|
112
|
+
|
|
113
|
+
// EventSource (Server-Sent Events)
|
|
114
|
+
const BlockedEventSource = function() {
|
|
115
|
+
console.error('[MyWallpaper Security] EventSource is blocked. Use MyWallpaper.network.fetch() for data.');
|
|
116
|
+
throw new Error('EventSource is blocked for security. Use MyWallpaper.network.fetch()');
|
|
117
|
+
};
|
|
118
|
+
|
|
119
|
+
Object.defineProperty(window, 'EventSource', {
|
|
120
|
+
value: BlockedEventSource,
|
|
121
|
+
writable: false,
|
|
122
|
+
configurable: false,
|
|
123
|
+
enumerable: true
|
|
124
|
+
});
|
|
125
|
+
|
|
126
|
+
// WebSocket - block with helpful message
|
|
127
|
+
const OriginalWebSocket = window.WebSocket;
|
|
128
|
+
const BlockedWebSocket = function() {
|
|
129
|
+
console.error('[MyWallpaper Security] WebSocket is blocked. Real-time features are not supported in addons.');
|
|
130
|
+
throw new Error('WebSocket is blocked for security in addons');
|
|
131
|
+
};
|
|
132
|
+
|
|
133
|
+
// Copy static properties
|
|
134
|
+
if (OriginalWebSocket) {
|
|
135
|
+
BlockedWebSocket.CONNECTING = 0;
|
|
136
|
+
BlockedWebSocket.OPEN = 1;
|
|
137
|
+
BlockedWebSocket.CLOSING = 2;
|
|
138
|
+
BlockedWebSocket.CLOSED = 3;
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
Object.defineProperty(window, 'WebSocket', {
|
|
142
|
+
value: BlockedWebSocket,
|
|
143
|
+
writable: false,
|
|
144
|
+
configurable: false,
|
|
145
|
+
enumerable: true
|
|
146
|
+
});
|
|
147
|
+
|
|
148
|
+
// ============================================================================
|
|
149
|
+
// STEP 6: Log security initialization
|
|
150
|
+
// ============================================================================
|
|
151
|
+
|
|
152
|
+
console.warn('[MyWallpaper Security] Network sandbox active. Use MyWallpaper.network.fetch() for network requests.');
|
|
153
|
+
})();
|