Add Server-Sent-Events Sources and Sinks

SAP / project-foxhound

A web browser with dynamic data-flow tracking enabled in the Javascript engine and DOM, based on Mozilla Firefox (https://github.com/mozilla/gecko-dev). It can be used to identify insecure data flows or data privacy leaks in client-side web applications.

GNU General Public License v3.0

82 stars 16 forks source link

Add Server-Sent-Events Sources and Sinks #58

Closed tmbrbr closed 2 years ago

tmbrbr commented 2 years ago

Server-Sent-Events would be interesting sources and sinks to add: https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events

Sinks:

EventSource constructor: https://developer.mozilla.org/en-US/docs/Web/API/EventSource/EventSource

Source:

EventSource "message" event data: https://developer.mozilla.org/en-US/docs/Web/API/EventSource/message_event

tmbrbr commented 2 years ago

MessageEvents are already a source: https://github.com/SAP/project-foxhound/blob/main/dom/events/MessageEvent.cpp#L69

Perhaps add the Origin as an argument in order to keep track of internal (e.g. window.MessageEvent) vs. SSEs.

EventSource sink function here: https://github.com/SAP/project-foxhound/blob/main/dom/base/EventSource.cpp#L630