Base64-encode HTML markup over the wire

[swissspidy]

Summary

This is an attempt to solve conflicts with Web Application Firewalls that block requests to due HTML being sent. WAFs like the one from Cloudflare or Sucuri even scan JSON objects to find HTML in there, and of course they treat a full blown HTML document (the AMP markup we create) as suspicious due to containing script tags etc.

So my thought here was simple: if no HTML is found, nothing can be blocked.

And the easiest way that came to mind here was simple base64-encoding the markup before sending it in the client, and then decoding it again on the server-side.

Relevant Technical Choices

• Encoded content is prefixed with __WEB_STORIES_ENCODED__ so that we can easily detect this in PHP.
  It might not be needed because we decode it right away upon receival, but I think it's safer to keep.
• Uses a method like described at https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/btoa to enable base64-encoding Unicode strings.

To-do

• Fix tests 🤔
• Further testing with WAFs

User-facing changes

N/A

Testing Instructions

Using templates and publishing stories should still work as expected. Especially when behind a WAF.

---

Fixes #4805

[github-actions]

Size Change: +9.63 kB (0%)

Total Size: 1.4 MB

Filename	Size	Change
assets/js/edit-story.js	528 kB	+4.8 kB (0%)
assets/js/stories-dashboard.js	593 kB	+4.83 kB (0%)

ℹ️ View Unchanged

Filename	Size	Change
assets/css/edit-story.css	909 B	0 B
assets/css/stories-dashboard.css	939 B	0 B
assets/css/web-stories-embed-block.css	515 B	0 B
assets/js/chunk-fonts-********************.js	43.7 kB	0 B
assets/js/chunk-web-stories-template-0-********************.js	10.2 kB	+1 B
assets/js/chunk-web-stories-template-1-********************.js	10.2 kB	0 B
assets/js/chunk-web-stories-template-2-********************.js	9.97 kB	0 B
assets/js/chunk-web-stories-template-3-********************.js	10.5 kB	+1 B
assets/js/chunk-web-stories-template-4-********************.js	10.6 kB	0 B
assets/js/chunk-web-stories-template-5-********************.js	6.83 kB	0 B
assets/js/chunk-web-stories-template-6-********************.js	9.87 kB	0 B
assets/js/chunk-web-stories-template-7-********************.js	9.75 kB	0 B
assets/js/chunk-web-stories-textset-0-********************.js	5.25 kB	0 B
assets/js/chunk-web-stories-textset-1-********************.js	6.58 kB	0 B
assets/js/chunk-web-stories-textset-2-********************.js	7.83 kB	0 B
assets/js/chunk-web-stories-textset-3-********************.js	15.2 kB	0 B
assets/js/chunk-web-stories-textset-4-********************.js	4.38 kB	0 B
assets/js/chunk-web-stories-textset-5-********************.js	5.68 kB	-1 B
assets/js/chunk-web-stories-textset-6-********************.js	5.47 kB	0 B
assets/js/chunk-web-stories-textset-7-********************.js	10.3 kB	0 B
assets/js/web-stories-activation-notice.js	74.1 kB	0 B
assets/js/web-stories-embed-block.js	17.5 kB	0 B

_{compressed-size-action}

[dreamofabear]

Neat but seems kinda brittle. Did we reach out or receive any guidance from Cloudflare or other WAF providers about this?

[swissspidy]

Not yet. But read #4805 for some context. The landscape is quite broad with many different vendors. And getting changes into something like the OWASP ruleset is going to take a long time. Whatever some vendor would do, it would end up being some cat and mouse game.

[codecov]

Codecov Report

Merging #4859 into main will increase coverage by 0.41%.
The diff coverage is 73.07%.

@@            Coverage Diff             @@
##             main    #4859      +/-   ##
==========================================
+ Coverage   75.75%   76.16%   +0.41%     
==========================================
  Files         911      903       -8     
  Lines       16223    16024     -199     
==========================================
- Hits        12289    12205      -84     
+ Misses       3934     3819     -115     

Flag	Coverage Δ
#karmatests	53.84% <0.00%> (+1.28%)	⬆️
#unittests	65.82% <85.71%> (+0.15%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
includes/Dashboard.php	35.77% <0.00%> (-0.30%)	⬇️
assets/src/edit-story/app/api/apiProvider.js	54.76% <50.00%> (ø)
includes/Traits/Decoder.php	60.00% <60.00%> (ø)
includes/REST_API/Stories_Base_Controller.php	41.66% <85.71%> (+2.01%)	⬆️
assets/src/edit-story/app/api/base64Encode.js	100.00% <100.00%> (ø)
includes/Story_Post_Type.php	80.33% <100.00%> (-0.39%)	⬇️
includes/Admin.php	75.92% <0.00%> (-9.32%)	⬇️
...orSettings/publisherLogo/popoverLogoContextMenu.js	92.85% <0.00%> (-7.15%)	⬇️
assets/src/edit-story/elements/text/edit.js	4.34% <0.00%> (-1.72%)	⬇️
...ssets/src/dashboard/components/popoverMenu/menu.js	78.57% <0.00%> (-1.09%)	⬇️
... and 60 more

[spacedmonkey]

@swissspidy This PR is still in draft. But I think it is good to go. Is it blocked by anything? Like #4898?

[swissspidy]

This PR is still in draft. But I think it is good to go. Is it blocked by anything? Like #4898?

#4898 would be nice to have, but not a blocker.

The biggest blocker here is alignment on the approach, and verification by users & support team that this does indeed work.

[spacedmonkey]

I have tested this locally and it works great! 👍