arn-browser 0.1.28 → 0.1.30

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "arn-browser",
-	"version": "0.1.28",
+	"version": "0.1.30",
 	"description": "A lightweight, browser autmation helper.",
 	"main": "src/index.js",
 	"types": "src/index.d.ts",

package/src/utility/playwright/routes/pwRoute.js

@@ -72,44 +72,77 @@ function createProxyAgent(proxyUrl) {
 }
 
 /**
- * Strips sensitive headers from outgoing request headers.
- * Removes cookie and authorization to prevent session/IP correlation.
+ * Sanitizes outgoing request headers using an allowlist approach.
+ * Only keeps essential headers needed for the server to respond correctly.
+ * Everything else (cookies, auth, fingerprint hints, HTTP/2 pseudo-headers, etc.) is stripped.
  */
 function sanitizeRequestHeaders(headers, logger, url) {
-	const cleaned = { ...headers };
+	// Allowlist of essential request headers to keep
+	const allowedHeaders = new Set([
+		"accept",
+		"accept-encoding",
+		"accept-language",
+		"referer",
+		"user-agent",
+		"sec-ch-ua",
+		"sec-ch-ua-mobile",
+		"sec-ch-ua-platform",
+		"sec-ch-ua-platform-version",
+		"sec-fetch-dest",
+		"sec-fetch-mode",
+		"sec-fetch-site",
+	]);
+
+	const cleaned = {};
 	const stripped = [];
-	// Remove known auth headers
-	if (cleaned["cookie"]) { stripped.push("cookie"); delete cleaned["cookie"]; }
-	if (cleaned["authorization"]) { stripped.push("authorization"); delete cleaned["authorization"]; }
-	// Remove any header containing auth/token/csrf keywords
-	for (const key of Object.keys(cleaned)) {
+
+	for (const [key, value] of Object.entries(headers)) {
 		const lower = key.toLowerCase();
-		if (lower.includes("token") || lower.includes("csrf") || lower.includes("auth")) {
+		if (allowedHeaders.has(lower)) {
+			cleaned[lower] = value;
+		} else {
 			stripped.push(key);
-			delete cleaned[key];
 		}
 	}
-	if (logger && stripped.length) console.log(`[stripGot] Request stripped: [${stripped.join(", ")}] → ${url}`);
+
+	if (logger && stripped.length) console.log(`[stripGot] Request stripped ${stripped.length} headers: [${stripped.join(", ")}] → ${url}`);
 	return cleaned;
 }
 
 /**
- * Sanitizes response headers for safe caching across origins.
- * - Replaces access-control-allow-origin with * (if present)
- * - Removes access-control-allow-credentials, set-cookie, CSP, HSTS
+ * Sanitizes response headers using an allowlist approach.
+ * Only keeps essential headers needed for correct content delivery.
+ * Everything else (tracking, fingerprint, security policy, cookies, etc.) is stripped.
  */
 function sanitizeResponseHeaders(headers, logger, url) {
-	const cleaned = { ...headers };
-	const changes = [];
-	if (cleaned["access-control-allow-origin"]) {
-		changes.push(`access-control-allow-origin: ${cleaned["access-control-allow-origin"]} → *`);
-		cleaned["access-control-allow-origin"] = "*";
+	// Allowlist of essential response headers to keep
+	const allowedHeaders = new Set([
+		"content-type",
+		"content-length",
+		"content-encoding",
+		"cache-control",
+		"etag",
+		"last-modified",
+		"location",
+		"access-control-allow-origin",
+		"accept-ranges",
+		"vary",
+	]);
+
+	const cleaned = {};
+	const stripped = [];
+
+	for (const [key, value] of Object.entries(headers)) {
+		const lower = key.toLowerCase();
+		if (allowedHeaders.has(lower)) {
+			// Force access-control-allow-origin to wildcard for cross-origin safety
+			cleaned[lower] = lower === "access-control-allow-origin" ? "*" : value;
+		} else {
+			stripped.push(key);
+		}
 	}
-	if (cleaned["access-control-allow-credentials"]) { changes.push("access-control-allow-credentials"); delete cleaned["access-control-allow-credentials"]; }
-	if (cleaned["set-cookie"]) { changes.push("set-cookie"); delete cleaned["set-cookie"]; }
-	if (cleaned["content-security-policy"]) { changes.push("content-security-policy"); delete cleaned["content-security-policy"]; }
-	if (cleaned["strict-transport-security"]) { changes.push("strict-transport-security"); delete cleaned["strict-transport-security"]; }
-	if (logger && changes.length) console.log(`[stripGot] Response stripped: [${changes.join(", ")}] → ${url}`);
+
+	if (logger && stripped.length) console.log(`[stripGot] Response stripped ${stripped.length} headers: [${stripped.join(", ")}] → ${url}`);
 	return cleaned;
 }
 

package/src/utility/proxy-utility/proxy-helper.js

@@ -54,8 +54,9 @@ export async function get_multilogin_proxy({
 		// 1. Get Token
 		const token = await getMultiloginToken();
 
-		// 2. Prepare Data
-		const data = { country, sessionType, protocol, region, city, IPTTL, count: 1 };
+		// 2. Prepare Data (sanitize region: spaces → underscores)
+		const sanitizedRegion = region ? region.toLowerCase().replace(/ /g, '_') : region;
+		const data = { country, sessionType, protocol, region: sanitizedRegion, city, IPTTL, count: 1 };
 		Object.keys(data).forEach((k) => (data[k] === "" || data[k] === 0 || data[k] == null) && delete data[k]);
 
 		// 3. Setup Timeout

package/src/utility/puppeteer/ppLaunch.d.ts

@@ -64,7 +64,18 @@ export interface PpLaunchOptions {
 	which_browser?: "chrome" | "chromium" | "brave" | "multilogin";
 
 	// ========================================================================
-	// 2. STORAGE & PROFILES
+	// 2. GENERAL & NETWORK
+	// ========================================================================
+
+	/**
+	 * Timezone ID (IANA format, e.g., "America/New_York").
+	 * Applied via CDP `Emulation.setTimezoneOverride` after connecting.
+	 * Default: null (uses system timezone)
+	 */
+	timezoneId?: string | null;
+
+	// ========================================================================
+	// 3. STORAGE & PROFILES
 	// ========================================================================
 
 	/**
@@ -86,7 +97,7 @@ export interface PpLaunchOptions {
 	cleanupMinutes?: number;
 
 	// ========================================================================
-	// 3. NETWORK
+	// 4. NETWORK
 	// ========================================================================
 
 	/**
@@ -96,7 +107,7 @@ export interface PpLaunchOptions {
 	proxy?: ProxyConfig | string | null;
 
 	// ========================================================================
-	// 4. BROWSER ARGS
+	// 5. BROWSER ARGS
 	// ========================================================================
 
 	/**
@@ -108,7 +119,7 @@ export interface PpLaunchOptions {
 	extraArgs?: string[];
 
 	// ========================================================================
-	// 5. ENGINE SPECIFIC
+	// 6. ENGINE SPECIFIC
 	// ========================================================================
 
 	/**
@@ -117,7 +128,7 @@ export interface PpLaunchOptions {
 	multilogin_options?: PpMultiloginOptions;
 
 	// ========================================================================
-	// 6. FINGERPRINT SPOOFING
+	// 7. FINGERPRINT SPOOFING
 	// ========================================================================
 
 	/**
@@ -169,7 +180,7 @@ export interface PpLaunchOptions {
 	};
 
 	// ========================================================================
-	// 7. LOGGING
+	// 8. LOGGING
 	// ========================================================================
 
 	/**

package/src/utility/puppeteer/ppLaunch.js

@@ -265,6 +265,9 @@ export async function ppLaunch({
 	// Browser selection
 	which_browser = "chrome",
 
+	// Common
+	timezoneId = null,
+
 	// Path & Storage
 	profile_path = null,
 	cleanupMinutes = 0,
@@ -316,6 +319,7 @@ export async function ppLaunch({
 				result = await chromeLauncher({
 					profilePath: fullPath,
 					proxy,
+					timezoneId,
 					extraArgs,
 					spoof_fingerprint,
 					cleanupMinutes: effectiveCleanupMinutes,
@@ -325,6 +329,7 @@ export async function ppLaunch({
 				result = await braveLauncher({
 					profilePath: fullPath,
 					proxy,
+					timezoneId,
 					extraArgs,
 					spoof_fingerprint,
 					cleanupMinutes: effectiveCleanupMinutes,
@@ -351,7 +356,7 @@ export async function ppLaunch({
 // 4. ENGINE: CHROME (CDP)
 // ==========================================================================
 
-async function chromeLauncher({ profilePath, proxy, extraArgs, spoof_fingerprint, cleanupMinutes }) {
+async function chromeLauncher({ profilePath, proxy, timezoneId, extraArgs, spoof_fingerprint, cleanupMinutes }) {
 	const isPersistent = !!profilePath;
 	const activePath = isPersistent ? profilePath : path.join(TEMP_DIR, crypto.randomUUID());
 
@@ -365,6 +370,7 @@ async function chromeLauncher({ profilePath, proxy, extraArgs, spoof_fingerprint
 		profilePath: activePath,
 		isPersistent,
 		proxy,
+		timezoneId,
 		extraArgs,
 		spoof_fingerprint,
 		browserLabel: "Chrome",
@@ -375,7 +381,7 @@ async function chromeLauncher({ profilePath, proxy, extraArgs, spoof_fingerprint
 // 5. ENGINE: BRAVE (CDP)
 // ==========================================================================
 
-async function braveLauncher({ profilePath, proxy, extraArgs, spoof_fingerprint, cleanupMinutes }) {
+async function braveLauncher({ profilePath, proxy, timezoneId, extraArgs, spoof_fingerprint, cleanupMinutes }) {
 	const isPersistent = !!profilePath;
 	const activePath = isPersistent ? profilePath : path.join(TEMP_DIR, crypto.randomUUID());
 
@@ -445,6 +451,7 @@ async function braveLauncher({ profilePath, proxy, extraArgs, spoof_fingerprint,
 		profilePath: activePath,
 		isPersistent,
 		proxy,
+		timezoneId,
 		extraArgs: [...braveArgs, ...extraArgs],
 		spoof_fingerprint,
 		browserLabel: "Brave",
@@ -455,7 +462,7 @@ async function braveLauncher({ profilePath, proxy, extraArgs, spoof_fingerprint,
 // 6. CDP SPAWN & CONNECT (Shared between Chrome & Brave)
 // ==========================================================================
 
-async function spawnAndConnect({ binaryPath, profilePath, isPersistent, proxy, extraArgs = [], spoof_fingerprint = false, browserLabel = "Browser" }) {
+async function spawnAndConnect({ binaryPath, profilePath, isPersistent, proxy, timezoneId = null, extraArgs = [], spoof_fingerprint = false, browserLabel = "Browser" }) {
 	let browser;
 	let closing = false;
 	let signalHandler;
@@ -597,6 +604,13 @@ async function spawnAndConnect({ binaryPath, profilePath, isPersistent, proxy, e
 		const pages = await browser.pages();
 		const page = pages[0] ?? (await browser.newPage());
 
+		// Apply timezone emulation via CDP
+		const tz = timezoneId || undefined;
+		if (tz) {
+			await page.emulateTimezone(tz);
+			if (_launchLogs) console.log(`░░░░░ Timezone set to ${tz} for ${browserLabel}`);
+		}
+
 		// Fingerprint injection logic:
 		// 1. If persistent profile has a saved fingerprint.json → ALWAYS use it (even if spoof_fingerprint is false)
 		// 2. If spoof_fingerprint is truthy → generate new fingerprint (save it for persistent profiles)