background.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

// Based on https://github.com/mdn/webextensions-examples/blob/main/root-cert-stats/background.js

let certs = [];

// On header receive, inspect cert and update app icon as required
async function onHeaderReceive(details) {
    try {
        await certInspectUpdate(details.requestId);
    } catch(error) {
        console.error(error);
    }
}

async function certInspectUpdate(requestId) {
    let securityInfo = await browser.webRequest.getSecurityInfo(
        requestId,
        {
            "certificateChain": true
        }
    );
    
    if (securityInfo.state !== "secure" || securityInfo.isUntrusted) {
        setIcon("nope");
        return;
    }

    // Flagged as "secure" - check if CA is against any of our flagged CAs

    // root is last in the array cert chain
    let rootCA = securityInfo.certificates[securityInfo.certificates.length - 1];

    for (let cert of certs) {
        if (rootCA.subject.includes(cert)) {
            setIcon("nope");
            return;
        }
    }

    setIcon("ok");
}

function setIcon(icon) {
    browser.browserAction.setIcon({ path: "icons/" + icon + ".png" });
}

function onReady() {
    // Listen for all header receive events, which contain the cert details we want
    browser.webRequest.onHeadersReceived.addListener(
        onHeaderReceive,
        {
            urls: ["<all_urls>"]
        },
        [
            "blocking"
        ]
    );
}

// Fetch config for certs list
const getting = browser.storage.sync.get("certs");
getting.then(saved => {
    certs = saved.certs;
    console.log("certs=" + certs)
    onReady();
}, console.error);