@@ -661,10 +661,11 @@ Browser.runtime.onMessage.addListener(async (message, sender) => {
661661 break
662662 case 'PIN_TAB' : {
663663 console . log ( '[background] Processing PIN_TAB message:' , message . data )
664- let tabId = message . data . tabId ?? sender . tab ?. id
664+ const data = message . data ?? { }
665+ let tabId = data . tabId ?? sender . tab ?. id
665666 if ( tabId ) {
666667 await Browser . tabs . update ( tabId , { pinned : true } )
667- if ( message . data . saveAsChatgptConfig ) {
668+ if ( data . saveAsChatgptConfig ) {
668669 console . debug ( '[background] Saving pinned tab as ChatGPT config tab:' , tabId )
669670 await setUserConfig ( { chatgptTabId : tabId } )
670671 }
@@ -691,20 +692,28 @@ Browser.runtime.onMessage.addListener(async (message, sender) => {
691692 console . warn ( '[background] Invalid FETCH input:' , message . data ?. input )
692693 return [ null , { message : 'Invalid fetch input' } ]
693694 }
694- if ( ! fetchInput . startsWith ( 'https://' ) && ! fetchInput . startsWith ( 'http://' ) ) {
695- console . warn ( '[background] Rejecting FETCH for non-http(s) URL:' , fetchInput )
696- return [ null , { message : 'Unsupported fetch protocol' } ]
695+ let validatedUrl
696+ try {
697+ const url = new URL ( fetchInput )
698+ if ( url . protocol !== 'https:' && url . protocol !== 'http:' ) {
699+ console . warn ( '[background] Rejecting FETCH for non-http(s) URL:' , fetchInput )
700+ return [ null , { message : 'Unsupported fetch protocol' } ]
701+ }
702+ validatedUrl = url . toString ( )
703+ } catch ( error ) {
704+ console . warn ( '[background] Invalid FETCH input URL:' , fetchInput , error )
705+ return [ null , { message : 'Invalid fetch URL' } ]
697706 }
698707
699- console . log ( '[background] Processing FETCH message for URL:' , fetchInput )
700- if ( fetchInput . includes ( 'bing.com' ) ) {
708+ console . log ( '[background] Processing FETCH message for URL:' , validatedUrl )
709+ if ( validatedUrl . includes ( 'bing.com' ) ) {
701710 console . debug ( '[background] Fetching Bing access token for FETCH message.' )
702711 const accessToken = await getBingAccessToken ( )
703712 await setUserConfig ( { bingAccessToken : accessToken } )
704713 }
705714
706715 try {
707- const response = await fetch ( fetchInput , message . data ?. init )
716+ const response = await fetch ( validatedUrl , message . data ?. init )
708717 const text = await response . text ( )
709718 const responseObject = {
710719 // Defined for clarity before conditional error property
@@ -717,15 +726,15 @@ Browser.runtime.onMessage.addListener(async (message, sender) => {
717726 if ( ! response . ok ) {
718727 responseObject . error = `HTTP error ${ response . status } ${ response . statusText }
719728 console . warn (
720- `[background] FETCH received error status: ${ response . status } ${ fetchInput } ,
729+ `[background] FETCH received error status: ${ response . status } ${ validatedUrl } ,
721730 )
722731 }
723732 console . debug (
724- `[background] FETCH successful for ${ fetchInput } ${ response . status } ,
733+ `[background] FETCH successful for ${ validatedUrl } ${ response . status } ,
725734 )
726735 return [ responseObject , null ]
727736 } catch ( error ) {
728- console . error ( `[background] FETCH error for ${ fetchInput } , error )
737+ console . error ( `[background] FETCH error for ${ validatedUrl } , error )
729738 return [ null , { message : error . message } ]
730739 }
731740 }
@@ -755,6 +764,13 @@ Browser.runtime.onMessage.addListener(async (message, sender) => {
755764 console . warn ( '[background] Rejecting GET_COOKIE with invalid URL:' , cookieUrlInput )
756765 return null
757766 }
767+ if ( cookieUrl . protocol !== 'http:' && cookieUrl . protocol !== 'https:' ) {
768+ console . warn (
769+ '[background] Rejecting GET_COOKIE with disallowed protocol:' ,
770+ cookieUrl . protocol ,
771+ )
772+ return null
773+ }
758774
759775 const cookieName = cookieNameInput . trim ( )
760776 console . debug ( '[background] Processing GET_COOKIE message for:' , cookieUrl . href )
@@ -852,20 +868,24 @@ try {
852868 const headers = details . requestHeaders
853869 let modified = false
854870 for ( let i = 0 ; i < headers . length ; i ++ ) {
855- if ( ! headers [ i ] ) {
871+ const header = headers [ i ]
872+ if ( ! header || ! header . name ) {
856873 continue
857874 }
858- const headerNameLower = headers [ i ] . name ? .toLowerCase ( )
875+ const headerNameLower = header . name . toLowerCase ( )
859876 if ( headerNameLower === 'origin' ) {
860- headers [ i ] . value = 'https://www.bing.com'
877+ header . value = 'https://www.bing.com'
861878 modified = true
862879 } else if ( headerNameLower === 'referer' ) {
863- headers [ i ] . value = 'https://www.bing.com/search?q=Bing+AI&showconv=1&FORM=hpcodx'
880+ header . value = 'https://www.bing.com/search?q=Bing+AI&showconv=1&FORM=hpcodx'
864881 modified = true
865882 }
866883 }
867884 if ( modified ) {
868- console . debug ( '[background] Modified headers for Bing:' , headers )
885+ console . debug (
886+ '[background] Modified headers for Bing (names only):' ,
887+ headers . map ( ( header ) => header ?. name ) . filter ( Boolean ) ,
888+ )
869889 }
870890 return { requestHeaders : headers }
871891 } catch ( error ) {
@@ -888,11 +908,15 @@ try {
888908 ( details ) => {
889909 const headers = details . requestHeaders
890910 for ( let i = 0 ; i < headers . length ; i ++ ) {
891- const headerNameLower = headers [ i ] ?. name ?. toLowerCase ( )
911+ const header = headers [ i ]
912+ if ( ! header || ! header . name ) {
913+ continue
914+ }
915+ const headerNameLower = header . name . toLowerCase ( )
892916 if ( headerNameLower === 'origin' ) {
893- headers [ i ] . value = 'https://claude.ai'
917+ header . value = 'https://claude.ai'
894918 } else if ( headerNameLower === 'referer' ) {
895- headers [ i ] . value = 'https://claude.ai'
919+ header . value = 'https://claude.ai'
896920 }
897921 }
898922 return { requestHeaders : headers }
0 commit comments