Awesome
Man in the Middle
Firefox Extension.
Allow user to block or redirect requests, modify request headers and responses, inject JavaScript and CSS into pages.
Get Man in the Middle on Firefox Add-ons.
Get help writing rules.
See changes in the Project board.
Use cases:
- Block or redirect websites and requests;
- Add, modify or remove request and response headers;
- Modify response data;
- Inject JavaScript into pages to make them function as desired;
- Inject CSS into pages to style them as desired.
Screenshots
Use Blocking Rules to block or redirect requests.
Use Header Rules to modify request and response headers.
Headers can be modified using JavaScript.
Use Response Rules to modify network responses.
Use Content Scripts to inject JavaScript and CSS codes into pages.
Content Scripts can even be injected to the extension's pages.
Rules
Select rule properties for more details.
Blocking Rules
Rules to block or redirect requests.
Header Rules
Rules to modify request and response headers.
- Text headers (Required);
- Text type;
- Header type;
- URL filters (Required);
- Method;
- Origin URL filters.
Response Rules
Rules to modify network responses.
Content Scripts
Rules to inject JavaScript and CSS into pages.
Properties
URL filters
Filter request URL
s or document URL
s.
- Format: RegExp pattern or String filter.
- Separator:
line break
, i.e,'\n'
,'\r'
or'\r\n'
. - A filter that begins with an exclamation mark
'!'
is aURL exception
. - A
URL
is satisfied if it matches at least one of the filters and DOES NOT match anyURL exception
.- A
URL
matches a filter if it matches theRegExp pattern
or includes theString filter
.
- A
- Examples:
Any site is matched http
Any site is matched, but not www.google.com http !www.google.com
- Rules: Blocking Rules, Header Rules, Response Rules and Content Scripts.
Method
Filters request method
s.
- Value can be
'*'
or one of the HTTP request methods, i.e,'GET'
,'POST'
,'HEAD'
, etc. - A
request method
is satisfied if it equals to themethod
. - Rules: Blocking Rules, Header Rules and Response Rules.
Text redirect URL
To redirect or block requests.
- Format:
Plaintext
or Restricted JavaScript. - Type
Plaintext
:
AURL
to redirectrequest
s to.- If not set, matched requests are blocked.
- Parameters
'$n'
(1 <= <int>n <= 100
), in aredirect URL
are replaced with capture groups fromRegExp pattern
URL filter. - Examples:
Force secure connections for all HTTP requests. URL filter: /^http:(.*)/ Text redirect URL: https:$1
- Type Restricted JavaScript:
Returns aURL
to redirectrequest
s to.- The code must
return
a stringURL
.- If
URL
is empty, matched requests are blocked; - If
URL
equals to the request's URL, the request is neither blocked nor redirected; - Otherwise, the request is redirected to
URL
.
- If
- Examples:
// Facebook hours restricted to the range from 07:00 PM to 11:59 PM // URL filter: facebook.com, messenger.com // Text redirect URL: const date = new Date(); const hour = date.getHours(); return 19 <= hour && hour <= 23 ? url : '';
- The code must
- Rule: Blocking Rules.
Redirect URL
DEPRECATED since version 3.4.0. Use Text redirect URL instead.
- Rules: Blocking Rules.
Origin URL filters
Filter document URL
s.
- Format: RegExp pattern or String filter.
- Separator: comma
','
. - A
document URL
is satisfied if one of the following is satisfied:- No
filter
is set (default); - The
document URL
matches one of the filters.- A
document URL
matches a filter if it matches theRegExp pattern
or includes theString filter
.
- A
- No
- Rules: Blocking Rules, Header Rules, Response Rules and Content Scripts.
Text headers
To modify request or response headers.
- Format:
Plaintext
or Restricted JavaScript. - Type
Plaintext
:
Pair
s of headers.- Separator:
line break
, i.e,'\n'
,'\r'
or'\r\n'
. - A
Pair
is of the format:name: value
.- If
name
is empty, the header is omitted. - If
value
is empty, the header with the namename
is removed if it exists, or the header is omitted. - If a header with the name
name
exists, the header is modified. If there're more than one existing, the first is modified. - If no header with the name
name
exists, a new header is added.
- If
- Examples:
This overrides the default Accept header Accept: *
This removes Referer header if it exists Referer:
This adds new headers to the request Test-0: On Test-1: Off
- Separator:
- Type Restricted JavaScript:
Returns request or response headers.- The code must
return
an array of objects, each objects has two properties:'name'
and'value'
. - The code may access
requestHeaders
orresponseHeaders
, depending on the Header type. - The header array
requestHeaders
orresponseHeaders
has its methods to make it easier to modify headers:get(name)
gets header by name;set(name, value)
replaces header value if it exists, or adds a new header;modify([ ...[name, value] ])
sets multiple pairs of headers.
- Examples:
// Header type: Request headers // This do nothing but log the request headers to the console. throw requestHeaders;
// This line const acceptHeader = requestHeaders.get('Accept'); // equals to the below const acceptHeader = const acceptHeader = requestHeaders.find(({name}) => ( name.toLowerCase() === 'accept' ));
// Header type: Request headers // This line requestHeaders.modify([ ['Accept', '*'] ]); // equals to this line requestHeaders.set('Accept', '*'); // and equals to the below lines const acceptHeader = requestHeaders.get('Accept'); if (acceptHeader) { acceptHeader.value = '*'; } else { requestHeaders.push({name: 'Accept', value: '*'}); } return requestHeaders;
// Header type: Request headers // This line requestHeaders.modify([ ['Referer', ''] ]); // equals to the below const refererHeaderIndex = requestHeaders.findIndex(({name}) => ( name.toLowerCase() === 'referer' )); // Remove Referer header if (refererHeaderIndex !== -1) { requestHeaders.splice(refererHeaderIndex, 1); } return requestHeaders;
// Header type: Response headers responseHeaders.push({ name: 'Set-Cookie', value: 'Firefox-Extension=Man in the Middle; HttpOnly', }); return responseHeaders;
- The code must
- Rule: Header Rules.
Text type
'Plaintext'
or'JavaScript'
.
- Rule: Blocking Rules, Header Rules and Response Rules.
Header type
'Request headers'
or 'Response headers'
.
- Rule: Header Rules.
Text response
To modify network responses.
- Format:
Plaintext
or Restricted JavaScript. - Type
Plaintext
:
Any text as response body. - Type Restricted JavaScript:
Returns response body.- The code must
return
a string which is the response body. - The code may access
responseBody
andresponseHeaders
. - Examples:
// Site: http://internetbadguys.com/ return `<!DOCTYPE html> <html> <head> <meta charset="utf-8"> </head> <body> <h1>Bad guys are ${( responseBody.includes('phish.opendns.com/?url=') ? 'blocked' : 'coming' )}!</h1> </body> </html>`;
- The code must
- Rule: Response Rules.
Code
JavaScript
or CSS
code to be injected.
- Rule: Content Scripts.
Script type
'JavaScript'
or 'CSS'
.
- To see error logs, open the
devtools > Console
. - Rule: Content Scripts.
DOM event
A stage of the DOM
loading on which the code is injected.
- Can be one of the following values:
Loading
;Loaded
;Completed
.
- Rule: Content Scripts.
Formats
RegExp pattern
Begins with a slash '/'
and ends with a slash '/'
.
- The characters inside the two slashes must form a valid RegExp, otherwise, the pattern is treated as a String filter.
- Examples:
/./ /faceb(\w{2})k\.[\w]+/
- Properties: URL filters and Origin URL filters.
String filter
A string that is not a RegExp pattern.
- Examples:
http facebook.com /invalid { RegExp/
- Properties: URL filters and Origin URL filters.
Restricted JavaScript
A JavaScript function body that will be executed inside a sandbox.
- The code may use only built-in objects and some APIs, which are:
Object
,Array
,String
,RegExp
,JSON
,Map
,Set
,Promise
, ...built-in objects;isFinite
,isNaN
,parseInt
,parseFloat
;encodeURI
,encodeURIComponent
,decodeURI
,decodeURIComponent
;crypto
,performance
,atob
,btoa
,fetch
andXMLHttpRequest
.
- The code may access request details and tab details, which are:
url
,originUrl
,documentUrl
,method
,proxyInfo
,type
(the type of the requested resource),timeStamp
;incognito
(true
if tab in private browsing),pinned
(true
if tab is pinned).
- The function is
async
, hence,await
can be used to perform asynchronous tasks. - The code should always
return
a value. - The code may
throw
a cloneable value. To see error logs, open thedevtools > Console
. - Properties: Text redirect URL, Text headers and Text response.
Others
- If you have questions or need help, feel free to message me at: facebook/dangkyokhoang.
- If you have feature requests, suggestions, or you've found bugs, raise issues at: man-in-the-middle/issues.