Man in the Middle

Firefox Extension.

---

Allow user to block or redirect requests, modify request headers and responses, inject JavaScript and CSS into pages.

---

Get Man in the Middle on Firefox Add-ons.
Get help writing rules.
See changes in the Project board.

Use cases:

• Block or redirect websites and requests;
• Add, modify or remove request and response headers;
• Modify response data;
• Inject JavaScript into pages to make them function as desired;
• Inject CSS into pages to style them as desired.

Screenshots

Use Blocking Rules to block or redirect requests.

Use Header Rules to modify request and response headers.

Headers can be modified using JavaScript.

Use Response Rules to modify network responses.

Use Content Scripts to inject JavaScript and CSS codes into pages.

Content Scripts can even be injected to the extension's pages.

Rules

Select rule properties for more details.

Blocking Rules

Rules to block or redirect requests.

• URL filters (Required);
• Method;
• Text redirect URL;
• Text type;
• Redirect URL;
• Origin URL filters.

Header Rules

Rules to modify request and response headers.

• Text headers (Required);
• Text type;
• Header type;
• URL filters (Required);
• Method;
• Origin URL filters.

Response Rules

Rules to modify network responses.

• Text response (Required);
• Text type;
• URL filters (Required);
• Method;
• Origin URL filters.

Content Scripts

Rules to inject JavaScript and CSS into pages.

• Code (Required);
• Script type;
• URL filters (Required);
• DOM event;
• Origin URL filters.

Properties

URL filters

Filter request URLs or document URLs.

• Format: RegExp pattern or String filter.
• Separator: line break, i.e, '\n', '\r' or '\r\n'.
• A filter that begins with an exclamation mark '!' is a URL exception.
• A URL is satisfied if it matches at least one of the filters and DOES NOT match any URL exception.
  • A URL matches a filter if it matches the RegExp pattern or includes the String filter.
• Examples:

  Any site is matched
  http
  

  Any site is matched, but not www.google.com
  http
  !www.google.com
  

• Rules: Blocking Rules, Header Rules, Response Rules and Content Scripts.

Method

Filters request methods.

• Value can be '*' or one of the HTTP request methods, i.e, 'GET', 'POST', 'HEAD', etc.
• A request method is satisfied if it equals to the method.
• Rules: Blocking Rules, Header Rules and Response Rules.

Text redirect URL

To redirect or block requests.

• Format: Plaintext or Restricted JavaScript.
• Type Plaintext:
  A URL to redirect requests to.
  • If not set, matched requests are blocked.
  • Parameters '$n' (1 <= <int>n <= 100), in a redirect URL are replaced with capture groups from RegExp pattern URL filter.
  • Examples:

    Force secure connections for all HTTP requests.
    URL filter: /^http:(.*)/
    Text redirect URL: https:$1
    

• Type Restricted JavaScript:
  Returns a URL to redirect requests to.
  • The code must return a string URL.
    • If URL is empty, matched requests are blocked;
    • If URL equals to the request's URL, the request is neither blocked nor redirected;
    • Otherwise, the request is redirected to URL.
  • Examples:

    // Facebook hours restricted to the range from 07:00 PM to 11:59 PM
    // URL filter: facebook.com, messenger.com
    // Text redirect URL:
    const date = new Date();
    const hour = date.getHours();
    return 19 <= hour && hour <= 23 ? url : '';

• Rule: Blocking Rules.

Redirect URL

DEPRECATED since version 3.4.0. Use Text redirect URL instead.

• Rules: Blocking Rules.

Origin URL filters

Filter document URLs.

• Format: RegExp pattern or String filter.
• Separator: comma ','.
• A document URL is satisfied if one of the following is satisfied:
  • No filter is set (default);
  • The document URL matches one of the filters.
    • A document URL matches a filter if it matches the RegExp pattern or includes the String filter.
• Rules: Blocking Rules, Header Rules, Response Rules and Content Scripts.

Text headers

To modify request or response headers.

• Format: Plaintext or Restricted JavaScript.
• Type Plaintext:
  Pairs of headers.
  • Separator: line break, i.e, '\n', '\r' or '\r\n'.
  • A Pair is of the format: name: value.
    • If name is empty, the header is omitted.
    • If value is empty, the header with the name name is removed if it exists, or the header is omitted.
    • If a header with the name name exists, the header is modified. If there're more than one existing, the first is modified.
    • If no header with the name name exists, a new header is added.
  • Examples:

    This overrides the default Accept header
    Accept: *
    

    This removes Referer header if it exists
    Referer:
    

    This adds new headers to the request
    Test-0: On
    Test-1: Off
    

• Type Restricted JavaScript:
  Returns request or response headers.
  • The code must return an array of objects, each objects has two properties: 'name' and 'value'.
  • The code may access requestHeaders or responseHeaders, depending on the Header type.
  • The header array requestHeaders or responseHeaders has its methods to make it easier to modify headers:
    • get(name) gets header by name;
    • set(name, value) replaces header value if it exists, or adds a new header;
    • modify([ ...[name, value] ]) sets multiple pairs of headers.
  • Examples:

    // Header type: Request headers
    // This do nothing but log the request headers to the console.
    throw requestHeaders;

    // This line
    const acceptHeader = requestHeaders.get('Accept');
    //     equals to the below
    const acceptHeader = const acceptHeader = requestHeaders.find(({name}) => (
        name.toLowerCase() === 'accept'
    ));

    // Header type: Request headers
    
    // This line
    requestHeaders.modify([ ['Accept', '*'] ]);
    //     equals to this line
    requestHeaders.set('Accept', '*');
    //     and equals to the below lines
    const acceptHeader = requestHeaders.get('Accept');
    if (acceptHeader) {
        acceptHeader.value = '*';
    } else {
        requestHeaders.push({name: 'Accept', value: '*'});
    }
    
    return requestHeaders;

    // Header type: Request headers
    // This line
    requestHeaders.modify([ ['Referer', ''] ]);
    //    equals to the below
    const refererHeaderIndex = requestHeaders.findIndex(({name}) => (
        name.toLowerCase() === 'referer'
    ));
    // Remove Referer header
    if (refererHeaderIndex !== -1) {
        requestHeaders.splice(refererHeaderIndex, 1);
    }
    
    return requestHeaders;

    // Header type: Response headers
    responseHeaders.push({
        name: 'Set-Cookie',
        value: 'Firefox-Extension=Man in the Middle; HttpOnly',
    });
    return responseHeaders;

• Rule: Header Rules.

Text type

'Plaintext' or'JavaScript'.

• Rule: Blocking Rules, Header Rules and Response Rules.

Header type

'Request headers' or 'Response headers'.

• Rule: Header Rules.

Text response

To modify network responses.

• Format: Plaintext or Restricted JavaScript.
• Type Plaintext:
  Any text as response body.
• Type Restricted JavaScript:
  Returns response body.
  • The code must return a string which is the response body.
  • The code may access responseBody and responseHeaders.
  • Examples:

    // Site: http://internetbadguys.com/
    return `<!DOCTYPE html>
    <html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
    <h1>Bad guys are ${(
        responseBody.includes('phish.opendns.com/?url=') ? 'blocked' : 'coming'
    )}!</h1>
    </body>
    </html>`;

• Rule: Response Rules.

Code

JavaScript or CSS code to be injected.

• Rule: Content Scripts.

Script type

'JavaScript' or 'CSS'.

• To see error logs, open the devtools > Console.
• Rule: Content Scripts.

DOM event

A stage of the DOM loading on which the code is injected.

• Can be one of the following values:
  • Loading;
  • Loaded;
  • Completed.
• Rule: Content Scripts.

Formats

RegExp pattern

Begins with a slash '/' and ends with a slash '/'.

• The characters inside the two slashes must form a valid RegExp, otherwise, the pattern is treated as a String filter.
• Examples:

  /./
  /faceb(\w{2})k\.[\w]+/
  

• Properties: URL filters and Origin URL filters.

String filter

A string that is not a RegExp pattern.

• Examples:

  http
  facebook.com
  /invalid { RegExp/
  

• Properties: URL filters and Origin URL filters.

Restricted JavaScript

A JavaScript function body that will be executed inside a sandbox.

• The code may use only built-in objects and some APIs, which are:
  • Object, Array, String, RegExp, JSON, Map, Set, Promise, ...built-in objects;
  • isFinite, isNaN, parseInt, parseFloat;
  • encodeURI, encodeURIComponent, decodeURI, decodeURIComponent;
  • crypto, performance, atob, btoa, fetch and XMLHttpRequest.
• The code may access request details and tab details, which are:
  • url, originUrl, documentUrl, method, proxyInfo, type (the type of the requested resource), timeStamp;
  • incognito (true if tab in private browsing), pinned (true if tab is pinned).
• The function is async, hence, await can be used to perform asynchronous tasks.
• The code should always return a value.
• The code may throw a cloneable value. To see error logs, open the devtools > Console.
• Properties: Text redirect URL, Text headers and Text response.

Others

• If you have questions or need help, feel free to message me at: facebook/dangkyokhoang.
• If you have feature requests, suggestions, or you've found bugs, raise issues at: man-in-the-middle/issues.