test(mock-e2e): add private domains logic for the privacy report (#27844

) ## **Description** Introduce the concept of "private domains" for the `privacy-snapshot.json`. This allow to hide some part of a host [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/27844?quickstart=1) ## **Related issues** Required by: - #27730 ## **Manual testing steps** 1. Use this PR to test the feature: - #27730 2. `yarn build:test:flask` 3. Remove the this line https://github.com/MetaMask/metamask-extension/blob/d5715503202bfaf451f60a6392e48366291942f7/privacy-snapshot.json#L2 4. `yarn test:e2e:single test/e2e/flask/btc/btc-account-overview.spec.ts --browser=chrome --update-privacy-snapshot` 5. The `privacy-snapshot.json` should have been updated again with the line you just removed ## **Screenshots/Recordings** ### **Before** ### **After** ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.
MetaMask · Oct 16, 2024 · 3f69851 · 3f69851
1 parent 42e5eab
commit 3f69851
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/test/e2e/mock-e2e.js b/test/e2e/mock-e2e.js
@@ -66,6 +66,18 @@ const emptyHtmlPage = () => `<!DOCTYPE html>
 const browserAPIRequestDomains =
   /^.*\.(googleapis\.com|google\.com|mozilla\.net|mozilla\.com|mozilla\.org|gvt1\.com)$/iu;
 
+/**
+ * Some third-party providers might use random URLs that we don't want to track
+ * in the privacy report "in clear". We identify those private hosts with a
+ * `pattern` regexp and replace the original host by a more generic one (`host`).
+ * For example, "my-secret-host.provider.com" could be denoted as "*.provider.com" in
+ * the privacy report. This would prevent disclosing the "my-secret-host" subdomain
+ * in this case.
+ */
+const privateHostMatchers = [
+  // { pattern: RegExp, host: string }
+];
+
 /**
  * @typedef {import('mockttp').Mockttp} Mockttp
  * @typedef {import('mockttp').MockedEndpoint} MockedEndpoint
@@ -712,6 +724,25 @@ async function setupMocking(
   const portfolioRequestsMatcher = (request) =>
     request.headers.referer === 'https://portfolio.metamask.io/';
 
+  /**
+   * Tests a request against private domains and returns a set of generic hostnames that
+   * match.
+   *
+   * @param request
+   * @returns A set of matched results.
+   */
+  const matchPrivateHosts = (request) => {
+    const privateHosts = new Set();
+
+    for (const { pattern, host: privateHost } of privateHostMatchers) {
+      if (request.headers.host.match(pattern)) {
+        privateHosts.add(privateHost);
+      }
+    }
+
+    return privateHosts;
+  };
+
   /**
    * Listen for requests and add the hostname to the privacy report if it did
    * not previously exist. This is used to track which hosts are requested
@@ -721,6 +752,16 @@ async function setupMocking(
    * operation. See the browserAPIRequestDomains regex above.
    */
   server.on('request-initiated', (request) => {
+    const privateHosts = matchPrivateHosts(request);
+    if (privateHosts.size) {
+      for (const privateHost of privateHosts) {
+        privacyReport.add(privateHost);
+      }
+      // At this point, we know the request at least one private doamin, so we just stops here to avoid
+      // using the request any further.
+      return;
+    }
+
     if (
       request.headers.host.match(browserAPIRequestDomains) === null &&
       !portfolioRequestsMatcher(request)