Firefox Extension.

Allow user to block or redirect requests, modify request headers and responses, inject JavaScript and CSS into pages.

Get Man in the Middle on Firefox Add-ons.
Get Man in the Middle on Chrome Store*.
Get help writing rules.
See changes in the Project board.

* Some features won't be available in the compatible version for Chrome. See this for more.

• Block or redirect websites and requests;
• Add, modify or remove request and response headers;
• Modify response data;
• Inject JavaScript into pages to make them function as desired;
• Inject CSS into pages to style them as desired.

Use Blocking Rules to block or redirect requests.

Use Header Rules to modify request and response headers.

Headers can be modified using JavaScript.

Use Response Rules to modify network responses.

Use Content Scripts to inject JavaScript and CSS codes into pages.

Content Scripts can even be injected to the extension's pages.

Select rule properties for more details.

Rules to block or redirect requests.

• URL filters (Required);
• Method;
• Redirect URL;
• Origin URL filters.

Rules to modify request and response headers.

• Text headers (Required);
• Text type;
• Header type;
• URL filters (Required);
• Method;
• Origin URL filters.

Rules to modify network responses.

• Text response (Required);
• Text type;
• URL filters (Required);
• Method;
• Origin URL filters.

Rules to inject JavaScript and CSS into pages.

• Code (Required);
• Script type;
• URL filters (Required);
• DOM event;
• Origin URL filters.

Filter request URLs or document URLs.

• Format: RegExp pattern or String filter.
• Separator: line break, i.e, '\n', '\r' or '\r\n'.
• A filter that begins with an exclamation mark '!' is a URL exception.
• A URL is satisfied if it matches at least one of the filters and DOES NOT match any URL exception.
  • A URL matches a filter if it matches the RegExp pattern or includes the String filter.
• Examples:

  Any site is matched
  http
  

  Any site is matched, but not www.google.com
  http
  !www.google.com
  

• Rules: Blocking Rules, Header Rules, Response Rules and Content Scripts.

Filters request methods.

• Value can be '*' or one of the HTTP request methods, i.e, 'GET', 'POST', 'HEAD', etc.
• A request method is satisfied if it equals to the method.
• Rules: Blocking Rules, Header Rules and Response Rules.

A URL to redirect requests to.

• If not set, matched requests are blocked.
• Parameters '$n' (1 <= <int>n <= 100), in a redirect URL are replaced with capture groups from RegExp pattern URL filter.
• Examples:

  Force HTTPS for all network requests.
  URL filter:   /^http:(.*)/
  Redirect URL: https:$1
  

• Rules: Blocking Rules.

Filter document URLs.

• Format: RegExp pattern or String filter.
• Separator: comma ','.
• A document URL is satisfied if one of the following is satisfied:
  • No filter is set (default);
  • The document URL matches one of the filters.
    • A document URL matches a filter if it matches the RegExp pattern or includes the String filter.
• Rules: Blocking Rules, Header Rules, Response Rules and Content Scripts.

To modify request or response headers.

• Format: Plaintext or Restricted JavaScript.
• Type Plaintext:
  Pairs of headers.
  • Separator: line break, i.e, '\n', '\r' or '\r\n'.
  • A Pair is of the format: name: value.
    • If name is empty, the header is omitted.
    • If value is empty, the header with the name name is removed if it exists, or the header is omitted.
    • If a header with the name name exists, the header is modified. If there're more than one existing, the first is modified.
    • If no header with the name name exists, a new header is added.
  • Examples:

    This overrides the default Accept header
    Accept: *
    

    This removes Referer header if it exists
    Referer:
    

    This adds new headers to the request
    Test-0: On
    Test-1: Off
    

• Type Restricted JavaScript:
  Returns request or response headers.
  • The code must return an array of objects, each objects has two properties: 'name' and 'value'.
  • The code may access requestHeaders or responseHeaders, depending on the Header type.
  • The header array requestHeaders or responseHeaders has its methods to make it easier to modify headers:
    • get(name) gets header by name;
    • set(name, value) replaces header value if it exists, or adds a new header;
    • modify([ ...[name, value] ]) sets multiple pairs of headers.
  • Examples:

    // Header type: Request headers
    // This do nothing but log the request headers to the console.
    throw requestHeaders;

    // This line
    const acceptHeader = requestHeaders.get('Accept');
    //     equals to the below
    const acceptHeader = const acceptHeader = requestHeaders.find(({name}) => (
        name.toLowerCase() === 'accept'
    ));

    // Header type: Request headers
    
    // This line
    requestHeaders.modify([ ['Accept', '*'] ]);
    //     equals to this line
    requestHeaders.set('Accept', '*');
    //     and equals to the below lines
    const acceptHeader = requestHeaders.get('Accept');
    if (acceptHeader) {
        acceptHeader.value = '*';
    } else {
        requestHeaders.push({name: 'Accept', value: '*'});
    }
    
    return requestHeaders;

    // Header type: Request headers
    // This line
    requestHeaders.modify([ ['Referer', ''] ]);
    //    equals to the below
    const refererHeaderIndex = requestHeaders.findIndex(({name}) => (
        name.toLowerCase() === 'referer'
    ));
    // Remove Referer header
    if (refererHeaderIndex !== -1) {
        requestHeaders.splice(refererHeaderIndex, 1);
    }
    
    return requestHeaders;

    // Header type: Response headers
    responseHeaders.push({
        name: 'Set-Cookie',
        value: 'Firefox-Extension=Man in the Middle; HttpOnly',
    });
    return responseHeaders;

• Rule: Header Rules.

'Plaintext' or'JavaScript'.

• Rule: Header Rules and Response Rules.

'Request headers' or 'Response headers'.

• Rule: Header Rules.

To modify network responses.

• Format: Plaintext or Restricted JavaScript.
• Type Plaintext:
  Any text as response body.
• Type Restricted JavaScript:
  Returns response body.
  • The code must return a string which is the response body.
  • The code may access responseBody and responseHeaders.
  • Examples:

    // Site: http://internetbadguys.com/
    return `<!DOCTYPE html>
    <html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
    <h1>Bad guys are ${(
        responseBody.includes('phish.opendns.com/?url=') ? 'blocked' : 'coming'
    )}!</h1>
    </body>
    </html>`;

• Rule: Response Rules.

JavaScript or CSS code to be injected.

• Rule: Content Scripts.

'JavaScript' or 'CSS'.

• To see error logs, open the devtools > Console.
• Rule: Content Scripts.

A stage of the DOM loading on which the code is injected.

• Can be one of the following values:
  • Loading;
  • Loaded;
  • Completed.
• Rule: Content Scripts.

Begins with a slash '/' and ends with a slash '/'.

• The characters inside the two slashes must form a valid RegExp, otherwise, the pattern is treated as a String filter.
• Examples:

  /./
  /faceb(\w{2})k\.[\w]+/
  

• Properties: URL filters and Origin URL filters.

A string that is not a RegExp pattern.

• Examples:

  http
  facebook.com
  /invalid { RegExp/
  

• Properties: URL filters and Origin URL filters.

A JavaScript function body that will be executed inside a sandbox.

• The code may use only built-in objects and some APIs, which are:
  • Object, Array, String, RegExp, JSON, Map, Set, Promise, ...built-in objects;
  • isFinite, isNaN, parseInt, parseFloat;
  • encodeURI, encodeURIComponent, decodeURI, decodeURIComponent;
  • crypto, performance, atob, btoa, fetch and XMLHttpRequest.
• The code may access request details and tab details, which are:
  • url, originUrl, documentUrl, method, proxyInfo, type (the type of the requested resource), timeStamp;
  • incognito (true if tab in private browsing), pinned (true if tab is pinned).
• The function is async, hence, await can be used to perform asynchronous tasks.
• The code should always return a value.
• The code may throw a cloneable value. To see error logs, open the devtools > Console.
• Properties: Text headers and Text response.

• If you have questions or need help, feel free to message me at: Facebook/dangkyokhoang.
• If you have feature requests, suggestions, or you've found bugs, raise issues at: Man-in-the-Middle/issues.