/man-in-the-middle

Modify requests, inject JavaScript and CSS into pages

Primary LanguageJavaScriptGNU General Public License v3.0GPL-3.0

Man in the Middle

License

Firefox Extension.


Allow user to block or redirect requests, modify request headers and responses, inject JavaScript and CSS into pages.


Get Man in the Middle on Firefox Add-ons.
Get help writing rules.
See changes in the Project board.

Use cases:

  • Block or redirect websites and requests;
  • Add, modify or remove request and response headers;
  • Modify response data;
  • Inject JavaScript into pages to make them function as desired;
  • Inject CSS into pages to style them as desired.

Screenshots

Block or redirect requests Use Blocking Rules to block or redirect requests.

Modify request and response headers Use Header Rules to modify request and response headers.

Use JavaScript to modify request headers Headers can be modified using JavaScript.

Use JavaScript to modify response body Use Response Rules to modify network responses.

Inject JavaScript and CSS into pages Use Content Scripts to inject JavaScript and CSS codes into pages.

Man in the Middle dark theme Content Scripts can even be injected to the extension's pages.

Rules

Select rule properties for more details.

Blocking Rules

Rules to block or redirect requests.

Header Rules

Rules to modify request and response headers.

Response Rules

Rules to modify network responses.

Content Scripts

Rules to inject JavaScript and CSS into pages.

Properties

URL filters

Filter request URLs or document URLs.

  • Format: RegExp pattern or String filter.
  • Separator: line break, i.e, '\n', '\r' or '\r\n'.
  • A filter that begins with an exclamation mark '!' is a URL exception.
  • A URL is satisfied if it matches at least one of the filters and DOES NOT match any URL exception.
    • A URL matches a filter if it matches the RegExp pattern or includes the String filter.
  • Examples:
    Any site is matched
    http
    
    Any site is matched, but not www.google.com
    http
    !www.google.com
    
  • Rules: Blocking Rules, Header Rules, Response Rules and Content Scripts.

Method

Filters request methods.

  • Value can be '*' or one of the HTTP request methods, i.e, 'GET', 'POST', 'HEAD', etc.
  • A request method is satisfied if it equals to the method.
  • Rules: Blocking Rules, Header Rules and Response Rules.

Text redirect URL

To redirect or block requests.

  • Format: Plaintext or Restricted JavaScript.
  • Type Plaintext:
    A URL to redirect requests to.
    • If not set, matched requests are blocked.
    • Parameters '$n' (1 <= <int>n <= 100), in a redirect URL are replaced with capture groups from RegExp pattern URL filter.
    • Examples:
      Force secure connections for all HTTP requests.
      URL filter: /^http:(.*)/
      Text redirect URL: https:$1
      
  • Type Restricted JavaScript:
    Returns a URL to redirect requests to.
    • The code must return a string URL.
      • If URL is empty, matched requests are blocked;
      • If URL equals to the request's URL, the request is neither blocked nor redirected;
      • Otherwise, the request is redirected to URL.
    • Examples:
      // Facebook hours restricted to the range from 07:00 PM to 11:59 PM
      // URL filter: facebook.com, messenger.com
      // Text redirect URL:
      const date = new Date();
      const hour = date.getHours();
      return 19 <= hour && hour <= 23 ? url : '';
  • Rule: Blocking Rules.

Redirect URL

DEPRECATED since version 3.4.0. Use Text redirect URL instead.

Origin URL filters

Filter document URLs.

Text headers

To modify request or response headers.

  • Format: Plaintext or Restricted JavaScript.
  • Type Plaintext:
    Pairs of headers.
    • Separator: line break, i.e, '\n', '\r' or '\r\n'.
    • A Pair is of the format: name: value.
      • If name is empty, the header is omitted.
      • If value is empty, the header with the name name is removed if it exists, or the header is omitted.
      • If a header with the name name exists, the header is modified. If there're more than one existing, the first is modified.
      • If no header with the name name exists, a new header is added.
    • Examples:
      This overrides the default Accept header
      Accept: *
      
      This removes Referer header if it exists
      Referer:
      
      This adds new headers to the request
      Test-0: On
      Test-1: Off
      
  • Type Restricted JavaScript:
    Returns request or response headers.
    • The code must return an array of objects, each objects has two properties: 'name' and 'value'.
    • The code may access requestHeaders or responseHeaders, depending on the Header type.
    • The header array requestHeaders or responseHeaders has its methods to make it easier to modify headers:
      • get(name) gets header by name;
      • set(name, value) replaces header value if it exists, or adds a new header;
      • modify([ ...[name, value] ]) sets multiple pairs of headers.
    • Examples:
      // Header type: Request headers
      // This do nothing but log the request headers to the console.
      throw requestHeaders;
      // This line
      const acceptHeader = requestHeaders.get('Accept');
      //     equals to the below
      const acceptHeader = const acceptHeader = requestHeaders.find(({name}) => (
          name.toLowerCase() === 'accept'
      ));
      // Header type: Request headers
      
      // This line
      requestHeaders.modify([ ['Accept', '*'] ]);
      //     equals to this line
      requestHeaders.set('Accept', '*');
      //     and equals to the below lines
      const acceptHeader = requestHeaders.get('Accept');
      if (acceptHeader) {
          acceptHeader.value = '*';
      } else {
          requestHeaders.push({name: 'Accept', value: '*'});
      }
      
      return requestHeaders;
      // Header type: Request headers
      // This line
      requestHeaders.modify([ ['Referer', ''] ]);
      //    equals to the below
      const refererHeaderIndex = requestHeaders.findIndex(({name}) => (
          name.toLowerCase() === 'referer'
      ));
      // Remove Referer header
      if (refererHeaderIndex !== -1) {
          requestHeaders.splice(refererHeaderIndex, 1);
      }
      
      return requestHeaders;
      // Header type: Response headers
      responseHeaders.push({
          name: 'Set-Cookie',
          value: 'Firefox-Extension=Man in the Middle; HttpOnly',
      });
      return responseHeaders;
  • Rule: Header Rules.

Text type

'Plaintext' or'JavaScript'.

Header type

'Request headers' or 'Response headers'.

Text response

To modify network responses.

  • Format: Plaintext or Restricted JavaScript.
  • Type Plaintext:
    Any text as response body.
  • Type Restricted JavaScript:
    Returns response body.
    • The code must return a string which is the response body.
    • The code may access responseBody and responseHeaders.
    • Examples:
      // Site: http://internetbadguys.com/
      return `<!DOCTYPE html>
      <html>
      <head>
          <meta charset="utf-8">
      </head>
      <body>
      <h1>Bad guys are ${(
          responseBody.includes('phish.opendns.com/?url=') ? 'blocked' : 'coming'
      )}!</h1>
      </body>
      </html>`;
  • Rule: Response Rules.

Code

JavaScript or CSS code to be injected.

Script type

'JavaScript' or 'CSS'.

DOM event

A stage of the DOM loading on which the code is injected.

  • Can be one of the following values:
    • Loading;
    • Loaded;
    • Completed.
  • Rule: Content Scripts.

Formats

RegExp pattern

Begins with a slash '/' and ends with a slash '/'.

String filter

A string that is not a RegExp pattern.

Restricted JavaScript

A JavaScript function body that will be executed inside a sandbox.

  • The code may use only built-in objects and some APIs, which are:
    • Object, Array, String, RegExp, JSON, Map, Set, Promise, ...built-in objects;
    • isFinite, isNaN, parseInt, parseFloat;
    • encodeURI, encodeURIComponent, decodeURI, decodeURIComponent;
    • crypto, performance, atob, btoa, fetch and XMLHttpRequest.
  • The code may access request details and tab details, which are:
    • url, originUrl, documentUrl, method, proxyInfo, type (the type of the requested resource), timeStamp;
    • incognito (true if tab in private browsing), pinned (true if tab is pinned).
  • The function is async, hence, await can be used to perform asynchronous tasks.
  • The code should always return a value.
  • The code may throw a cloneable value. To see error logs, open the devtools > Console.
  • Properties: Text redirect URL, Text headers and Text response.

Others