window.ipfs

.gitignore

@@ -9,3 +9,5 @@ yarn-error.log
 crowdin.yml
 .*~
 add-on/dist
+coverage
+.nyc_output

add-on/_locales/en/messages.json

@@ -265,6 +265,18 @@
     "message": "DNSLINK Support",
     "description": "An option title on the Preferences screen (option_dnslink_title)"
   },
+  "option_ipfsProxy_title": {
+    "message": "window.ipfs",
+    "description": "An option title for enabling/disabling the IPFS proxy (option_ipfsProxy_title)"
+  },
+  "option_ipfsProxy_description": {
+    "message": "Add IPFS to the window object on every page",
+    "description": "An option description for the IPFS proxy (option_ipfsProxy_description)"
+  },
+  "option_ipfsProxy_link_manage_permissions": {
+    "message": "Manage permissions",
+    "description": "Link text for managing permissions"
+  },
   "option_preloadAtPublicGateway_title": {
     "message": "Preload Uploads",
     "description": "An option title on the Preferences screen (option_preloadAtPublicGateway_title)"
@@ -329,5 +341,67 @@
   "quickUpload_drop_it_here": {
     "message": "drop it here to share",
     "description": "Partial info stats beneath the header on the share files page (quickUpload_drop_it_here)"
+  },
+  "page_proxyAcl_title": {
+    "message": "Manage Permissions",
+    "description": "Page title for the IPFS proxy ACL page (page_proxyAcl_title)"
+  },
+  "page_proxyAcl_subtitle": {
+    "message": "View, change and revoke granted access rights to your IPFS instance.",
+    "description": "Page sub title for the IPFS proxy ACL page (page_proxyAcl_subtitle)"
+  },
+  "page_proxyAcl_no_perms": {
+    "message": "No permissions granted.",
+    "description": "Message displayed when no permissions have been granted (page_proxyAcl_no_perms)"
+  },
+  "page_proxyAcl_confirm_revoke": {
+    "message": "Revoke permission $PERMISSION$ for $ORIGIN$?",
+    "description": "Confirmation message for revoking a permission for an origin (page_proxyAcl_confirm_revoke)",
+    "placeholders": {
+      "permission": {
+        "content": "$1"
+      },
+      "origin": {
+        "content": "$2"
+      }
+    }
+  },
+  "page_proxyAcl_confirm_revoke_all": {
+    "message": "Revoke all permissions for $ORIGIN$?",
+    "description": "Confirmation message for revoking all permissions for an origin (page_proxyAcl_confirm_revoke_all)",
+    "placeholders": {
+      "origin": {
+        "content": "$1"
+      }
+    }
+  },
+  "page_proxyAcl_toggle_to_allow_button_title": {
+    "message": "Click to allow",
+    "description": "Button title for toggling permission from deny to allow (page_proxyAcl_toggle_to_allow_button_title)"
+  },
+  "page_proxyAcl_toggle_to_deny_button_title": {
+    "message": "Click to deny",
+    "description": "Button title for toggling permission from allow to deny (page_proxyAcl_toggle_to_deny_button_title)"
+  },
+  "page_proxyAcl_allow_button_value": {
+    "message": "Allow",
+    "description": "Button value for allow (page_proxyAcl_allow_button_value)"
+  },
+  "page_proxyAcl_deny_button_value": {
+    "message": "Deny",
+    "description": "Button value for deny"
+  },
+  "page_proxyAcl_revoke_button_title": {
+    "message": "Revoke $PERMISSION$",
+    "description": "Button title for revoking a permission (page_proxyAcl_revoke_button_title)",
+    "placeholders": {
+      "permission": {
+        "content": "$1"
+      }
+    }
+  },
+  "page_proxyAcl_revoke_all_button_title": {
+    "message": "Revoke all permissions",
+    "description": "Button title for revoking all permissions (page_proxyAcl_revoke_all_button_title)"
   }
 }

add-on/manifest.json

@@ -56,7 +56,8 @@
 
     "web_accessible_resources": [
         "icons/ipfs-logo-on.svg",
-        "icons/ipfs-logo-off.svg"
+        "icons/ipfs-logo-off.svg",
+        "dist/contentScripts/ipfs-proxy/page.js"
     ],
 
 	"protocol_handlers": [

add-on/src/contentScripts/ipfs-proxy/content.js

@@ -0,0 +1,27 @@
+'use strict'
+
+const browser = require('webextension-polyfill')
+const injectScript = require('./inject-script')
+
+function init () {
+  const port = browser.runtime.connect({ name: 'ipfs-proxy' })
+
+  // Forward on messages from background to the page and vice versa
+  port.onMessage.addListener((data) => window.postMessage(data, '*'))
+
+  window.addEventListener('message', (msg) => {
+    if (msg.data && msg.data.sender === 'postmsg-rpc/client') {
+      port.postMessage(msg.data)
+    }
+  })
+
+  injectScript(browser.extension.getURL('dist/contentScripts/ipfs-proxy/page.js'))
+}
+
+// Only run this once for this window!
+// URL can change (history API) which causes this script to be executed again,
+// but it only needs to be setup once per window...
+if (!window.__ipfsProxyContentInitialized) {
+  init()
+  window.__ipfsProxyContentInitialized = true
+}

add-on/src/contentScripts/ipfs-proxy/inject-script.js

@@ -0,0 +1,17 @@
+'use strict'
+
+function injectScript (src, target, opts) {
+  opts = opts || {}
+  const doc = opts.document || document
+
+  const scriptTag = doc.createElement('script')
+  scriptTag.src = src
+  scriptTag.onload = function () {
+    this.parentNode.removeChild(this)
+  }
+
+  target = doc.head || doc.documentElement
+  target.appendChild(scriptTag)
+}
+
+module.exports = injectScript

add-on/src/contentScripts/ipfs-proxy/page.js

@@ -0,0 +1,9 @@
+'use strict'
+
+const Ipfs = require('ipfs')
+const { createProxyClient } = require('ipfs-postmsg-proxy')
+const _Buffer = Buffer
+
+window.Buffer = window.Buffer || _Buffer
+window.Ipfs = window.Ipfs || Ipfs
+window.ipfs = window.ipfs || createProxyClient()

add-on/src/lib/ipfs-companion.js

@@ -12,6 +12,7 @@ const { createIpfsUrlProtocolHandler } = require('./ipfs-protocol')
 const createNotifier = require('./notifier')
 const createCopier = require('./copier')
 const { createContextMenus, findUrlForContext } = require('./context-menus')
+const createIpfsProxy = require('./ipfs-proxy')
 
 // init happens on addon load in background/background.js
 module.exports = async function init () {
@@ -26,8 +27,10 @@ module.exports = async function init () {
   var copier
   var contextMenus
   var apiStatusUpdateInterval
+  var ipfsProxy
   const offlinePeerCount = -1
   const idleInSecs = 5 * 60
+  const browserActionPortName = 'browser-action-port'
 
   try {
     const options = await browser.storage.local.get(optionDefaults)
@@ -43,9 +46,14 @@ module.exports = async function init () {
       onCopyAddressAtPublicGw: () => copier.copyAddressAtPublicGw()
     })
     modifyRequest = createRequestModifier(getState, dnsLink, ipfsPathValidator)
+    ipfsProxy = createIpfsProxy(() => ipfs, getState)
     registerListeners()
     await setApiStatusUpdateInterval(options.ipfsApiPollMs)
-    await storeMissingOptions(options, optionDefaults, browser.storage.local)
+    await storeMissingOptions(
+      await browser.storage.local.get(),
+      optionDefaults,
+      browser.storage.local
+    )
   } catch (error) {
     console.error('Unable to initialize addon due to error', error)
     if (notify) notify('notify_addonIssueTitle', 'notify_addonIssueMsg')
@@ -119,7 +127,6 @@ module.exports = async function init () {
   // e.g. signalling between browser action popup and background page that works
   // in everywhere, even in private contexts (https://github.com/ipfs/ipfs-companion/issues/243)
 
-  const browserActionPortName = 'browser-action-port'
   var browserActionPort
 
   function onRuntimeConnect (port) {
@@ -518,6 +525,8 @@ module.exports = async function init () {
           state.dnslink = change.newValue
         } else if (key === 'preloadAtPublicGateway') {
           state.preloadAtPublicGateway = change.newValue
+        } else if (key === 'ipfsProxy') {
+          state.ipfsProxy = change.newValue
         }
       }
     }
@@ -554,6 +563,8 @@ module.exports = async function init () {
       notify = null
       copier = null
       contextMenus = null
+      ipfsProxy.destroy()
+      ipfsProxy = null
       await destroyIpfsClient()
     }
   }

add-on/src/lib/ipfs-proxy/access-control.js

@@ -0,0 +1,133 @@
+'use strict'
+/* eslint-env browser */
+
+const EventEmitter = require('events')
+const PQueue = require('p-queue')
+
+class AccessControl extends EventEmitter {
+  constructor (storage, storageKeyPrefix = 'ipfsProxyAcl') {
+    super()
+    this._storage = storage
+    this._storageKeyPrefix = storageKeyPrefix
+    this._onStorageChange = this._onStorageChange.bind(this)
+    storage.onChanged.addListener(this._onStorageChange)
+    this._writeQ = new PQueue({ concurrency: 1 })
+  }
+
+  async _onStorageChange (changes) {
+    const prefix = this._storageKeyPrefix
+    const aclChangeKeys = Object.keys(changes).filter((key) => key.startsWith(prefix))
+
+    if (!aclChangeKeys.length) return
+
+    // Map { origin => Map { permission => allow } }
+    this.emit('change', aclChangeKeys.reduce((aclChanges, key) => {
+      return aclChanges.set(
+        key.slice(prefix.length + 1),
+        new Map(JSON.parse(changes[key].newValue))
+      )
+    }, new Map()))
+  }
+
+  _getGrantsKey (origin) {
+    return `${this._storageKeyPrefix}.${origin}`
+  }
+
+  // Get a Map of granted permissions for a given origin
+  // e.g. Map { 'files.add' => true, 'object.new' => false }
+  async _getGrants (origin) {
+    const key = this._getGrantsKey(origin)
+    return new Map(
+      JSON.parse((await this._storage.local.get({ [key]: '[]' }))[key])
+    )
+  }
+
+  async _setGrants (origin, grants) {
+    const key = this._getGrantsKey(origin)
+    return this._storage.local.set({ [key]: JSON.stringify(Array.from(grants)) })
+  }
+
+  async getAccess (origin, permission) {
+    if (!isOrigin(origin)) throw new TypeError('Invalid origin')
+    if (!isString(permission)) throw new TypeError('Invalid permission')
+
+    const grants = await this._getGrants(origin)
+
+    return grants.has(permission)
+      ? { origin, permission, allow: grants.get(permission) }
+      : null
+  }
+
+  async setAccess (origin, permission, allow) {
+    if (!isOrigin(origin)) throw new TypeError('Invalid origin')
+    if (!isString(permission)) throw new TypeError('Invalid permission')
+    if (!isBoolean(allow)) throw new TypeError('Invalid allow')
+
+    return this._writeQ.add(async () => {
+      const access = { origin, permission, allow }
+      const grants = await this._getGrants(origin)
+
+      grants.set(permission, allow)
+      await this._setGrants(origin, grants)
+
+      return access
+    })
+  }
+
+  // Map { origin => Map { permission => allow } }
+  async getAcl () {
+    const data = await this._storage.local.get()
+    const prefix = this._storageKeyPrefix
+
+    return Object.keys(data)
+      .reduce((acl, key) => {
+        return key.startsWith(prefix)
+          ? acl.set(key.slice(prefix.length + 1), new Map(JSON.parse(data[key])))
+          : acl
+      }, new Map())
+  }
+
+  // Revoke access to the given permission
+  // if permission is null, revoke all access
+  async revokeAccess (origin, permission = null) {
+    if (!isOrigin(origin)) throw new TypeError('Invalid origin')
+    if (permission && !isString(permission)) throw new TypeError('Invalid permission')
+
+    return this._writeQ.add(async () => {
+      let grants
+
+      if (permission) {
+        grants = await this._getGrants(origin)
+        if (!grants.has(permission)) return
+        grants.delete(permission)
+      } else {
+        grants = new Map()
+      }
+
+      await this._setGrants(origin, grants)
+    })
+  }
+
+  destroy () {
+    this._storage.onChanged.removeListener(this._onStorageChange)
+  }
+}
+
+module.exports = AccessControl
+
+const isOrigin = (value) => {
+  if (!isString(value)) return false
+
+  let url
+
+  try {
+    url = new URL(value)
+  } catch (_) {
+    return false
+  }
+
+  return url.origin === value
+}
+
+const isString = (value) => Object.prototype.toString.call(value) === '[object String]'
+const isBoolean = (value) => value === true || value === false