From 7f22aa55b01b117f7c9bbe907dc5fab772de3287 Mon Sep 17 00:00:00 2001
From: CanadaHonk <oj@oojmed.com>
Date: Mon, 30 Jan 2023 22:39:16 +0000
Subject: [PATCH] open: add allowHTTP option

completely block HTTP by default
---
 gluon.d.ts              | 11 ++++++++++-
 src/browser/chromium.js |  3 ++-
 src/browser/firefox.js  |  7 ++++++-
 src/index.js            | 13 +++++++++----
 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/gluon.d.ts b/gluon.d.ts
index 1c26bfc..d1c9eea 100644
--- a/gluon.d.ts
+++ b/gluon.d.ts
@@ -499,7 +499,16 @@ type OpenOptions = {
   forceBrowser?: Browser,
 
   /** Force Gluon to use a specific browser engine instead of automatically finding a browser itself. */
-  forceEngine?: BrowserEngine
+  forceEngine?: BrowserEngine,
+
+  /**
+   * Opt-in to allowing HTTP. Not recommended to use, always keep `false` where possible. Primarily to support custom localhost servers.
+   * Options:
+   * - `false`: HTTP is **completely disabled**. Recommended.
+   * - `mixed`: HTTP is **enabled for mixed content**, but not as window URL. **Not recommended.**
+   * - `true`: HTTP is **completely enabled**. **Not recommended.**
+   */
+  allowHTTP?: false | 'mixed' | true
 };
 
 /**
diff --git a/src/browser/chromium.js b/src/browser/chromium.js
index 9cb835b..d0c9ea5 100644
--- a/src/browser/chromium.js
+++ b/src/browser/chromium.js
@@ -7,12 +7,13 @@ const presets = { // Presets from OpenAsar
   'memory': '--in-process-gpu --js-flags="--lite-mode --optimize_for_size --wasm_opt --wasm_lazy_compilation --wasm_lazy_validation --always_compact" --renderer-process-limit=2 --enable-features=QuickIntensiveWakeUpThrottlingAfterLoading' // Less (?) memory usage
 };
 
-export default async ({ browserPath, dataPath }, { url, windowSize }, extra) => {
+export default async ({ browserPath, dataPath }, { url, windowSize, allowHTTP }, extra) => {
   return await StartBrowser(browserPath, [
     `--app=${url}`,
     `--remote-debugging-pipe`,
     `--user-data-dir=${dataPath}`,
     windowSize ? `--window-size=${windowSize.join(',')}` : '',
+    ![true, 'mixed'].includes(allowHTTP) ? `--enable-strict-mixed-content-checking` : '--allow-running-insecure-content',
     ...`--new-window --no-first-run --no-default-browser-check --disable-component-extensions-with-background-pages --disable-extensions --disable-default-apps --disable-breakpad --disable-crashpad --disable-background-networking --disable-domain-reliability --disable-component-update --disable-sync --disable-features=AutofillServerCommunication -in-process-gpu ${presets.perf}`.split(' ')
   ], 'stdio', extra);
 };
\ No newline at end of file
diff --git a/src/browser/firefox.js b/src/browser/firefox.js
index b10e948..12d5666 100644
--- a/src/browser/firefox.js
+++ b/src/browser/firefox.js
@@ -4,7 +4,7 @@ import { join } from 'path';
 import StartBrowser from '../launcher/start.js';
 
 
-export default async ({ browserPath, dataPath }, { url, windowSize }, extra) => {
+export default async ({ browserPath, dataPath }, { url, windowSize, allowHTTP }, extra) => {
   await mkdir(dataPath, { recursive: true });
   await writeFile(join(dataPath, 'user.js'), `
 user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true);
@@ -20,6 +20,11 @@ user_pref('fission.bfcacheInParent', false);
 user_pref('fission.webContentIsolationStrategy', 0);
 user_pref('ui.key.menuAccessKeyFocuses', false);
 ${process.platform === 'darwin' ? `user_pref('browser.tabs.inTitlebar', 0);` : `` }
+
+user_pref('security.mixed_content.block_active_content', ${![true, 'mixed'].includes(allowHTTP) ? 'true' : 'false'});
+user_pref('security.mixed_content.block_display_content', ${![true, 'mixed'].includes(allowHTTP) ? 'true' : 'false'});
+user_pref('security.mixed_content.block_object_subrequest', ${![true, 'mixed'].includes(allowHTTP) ? 'true' : 'false'});
+user_pref('security.mixed_content.upgrade_display_content', true);
 `);
 
 // user_pref('privacy.resistFingerprinting', false);
diff --git a/src/index.js b/src/index.js
index 0990db4..8ad18ac 100644
--- a/src/index.js
+++ b/src/index.js
@@ -175,7 +175,7 @@ const getBrowserType = name => { // todo: not need this
 const portRange = [ 10000, 60000 ];
 const generatePort = () => (Math.floor(Math.random() * (portRange[1] - portRange[0] + 1)) + portRange[0]);
 
-const startBrowser = async (url, { windowSize, forceBrowser, forceEngine }) => {
+const startBrowser = async (url, { allowHTTP, windowSize, forceBrowser, forceEngine }) => {
   const [ browserPath, browserName ] = await findBrowserPath(forceBrowser, forceEngine);
   const browserFriendlyName = getFriendlyName(browserName);
 
@@ -199,7 +199,8 @@ const startBrowser = async (url, { windowSize, forceBrowser, forceEngine }) => {
     browserPath
   }, {
     url: openingLocal ? localUrl : url,
-    windowSize
+    windowSize,
+    allowHTTP
   }, {
     browserName: browserFriendlyName,
     url: openingLocal ? basePath : url,
@@ -213,10 +214,14 @@ const startBrowser = async (url, { windowSize, forceBrowser, forceEngine }) => {
   return Window;
 };
 
-export const open = async (url, { windowSize, onLoad, forceBrowser, forceEngine } = {}) => {
+export const open = async (url, opts = {}) => {
+  const { onLoad, allowHTTP } = opts;
+
+  if (allowHTTP !== true && url.startsWith('http://')) throw new Error(`HTTP URLs are blocked by default. Please use HTTPS, or if not possible, enable the 'allowHTTP' option.`);
+
   log('starting browser...');
 
-  const Browser = await startBrowser(url, { windowSize, forceBrowser, forceEngine });
+  const Browser = await startBrowser(url, opts);
 
   if (onLoad) {
     const toRun = `(() => {