http-quik 0.1.7

High-fidelity, stealth-optimized HTTP transport engine for Chrome 134 identity parity.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

use crate::profile::ChromeProfile;
use http::header::{HeaderMap, HeaderValue, ACCEPT, ACCEPT_ENCODING, ACCEPT_LANGUAGE, USER_AGENT};

/// Defines the context of the network request, mimicking browser fetch metadata.
#[allow(dead_code)]
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum RequestContext {
    /// A top-level page navigation (e.g., clicking a link or typing in the URL bar).
    Navigate,
    /// An asynchronous XMLHttpRequest or Fetch API call.
    Xhr,
    /// A form submission navigation.
    Form,
    /// An iframe navigation.
    Iframe,
    /// A parser-blocking or async script subresource.
    NoCorsScript,
    /// A stylesheet subresource.
    NoCorsStyle,
    /// An image subresource.
    NoCorsImage,
    /// A font subresource.
    NoCorsFont,
    /// A media subresource.
    NoCorsMedia,
    /// A Web Worker script.
    Worker,
    /// A Service Worker script.
    ServiceWorker,
    /// A prefetch request.
    Prefetch,
}

/// Injects Chrome-identical headers into the provided request map.
///
/// Populates navigation metadata, Client Hints, compression preferences,
/// and HPACK sensitivity flags in the exact order and format emitted by
/// the target Chrome version.
///
/// ## Cross-Platform Consistency
/// The `sec-ch-ua-platform` and `sec-ch-ua-platform-version` values are
/// sourced from the active [`ChromeProfile`], ensuring they match the
/// OS persona declared during the TLS handshake.
///
/// ## HPACK Sensitivity
/// `cookie` and `authorization` headers are marked as sensitive to force
/// the HPACK encoder into "Literal Never Indexed" mode, preventing
/// side-channel leaks (CRIME mitigation).
pub fn inject_chrome_headers(
    headers: &mut HeaderMap,
    profile: &ChromeProfile,
    sec_fetch_site: &str,
    is_initial_navigation: bool,
    context: RequestContext,
    accept_ch: bool,
    referer: Option<&str>,
) {
    // 1. Client Hints (Sec-CH-UA)
    // These headers provide granular version and platform information to the server.
    if let Ok(val) = HeaderValue::from_str(&profile.headers.sec_ch_ua) {
        headers.insert("sec-ch-ua", val);
    }
    headers.insert("sec-ch-ua-mobile", HeaderValue::from_static("?0"));
    if let Ok(val) = HeaderValue::from_str(&profile.headers.sec_ch_ua_platform) {
        headers.insert("sec-ch-ua-platform", val);
    }
    // Chrome only sends platform-version if explicitly solicited via Accept-CH in previous responses.
    if accept_ch {
        if let Ok(val) = HeaderValue::from_str(&profile.headers.sec_ch_ua_platform_version) {
            headers.insert("sec-ch-ua-platform-version", val);
        }
    }

    // 2. Navigation / Fetch metadata
    headers.insert("upgrade-insecure-requests", HeaderValue::from_static("1"));
    if let Ok(val) = HeaderValue::from_str(&profile.headers.user_agent) {
        headers.insert(USER_AGENT, val);
    }

    // Inject dynamic sec-fetch-* state based on the current redirect context.
    if let Ok(val) = HeaderValue::from_str(sec_fetch_site) {
        headers.insert("sec-fetch-site", val);
    }
    let (mode, dest, accept_val) = match context {
        RequestContext::Navigate | RequestContext::Form => ("navigate", "document", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"),
        RequestContext::Iframe => ("navigate", "iframe", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"),
        RequestContext::Xhr => ("cors", "empty", "*/*"),
        RequestContext::NoCorsScript => ("no-cors", "script", "*/*"),
        RequestContext::NoCorsStyle => ("no-cors", "style", "text/css,*/*;q=0.1"),
        RequestContext::NoCorsImage => ("no-cors", "image", "image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"),
        RequestContext::NoCorsFont => ("no-cors", "font", "*/*"),
        RequestContext::NoCorsMedia => ("no-cors", "video", "*/*"),
        RequestContext::Worker => ("same-origin", "worker", "*/*"),
        RequestContext::ServiceWorker => ("same-origin", "serviceworker", "*/*"),
        RequestContext::Prefetch => ("no-cors", "empty", "*/*"),
    };
    headers.insert(ACCEPT, HeaderValue::from_static(accept_val));
    headers.insert("sec-fetch-mode", HeaderValue::from_static(mode));

    // The 'sec-fetch-user' header is present ONLY on the first hop of a user-initiated navigation.
    if is_initial_navigation && (context == RequestContext::Navigate || context == RequestContext::Form || context == RequestContext::Iframe) {
        headers.insert("sec-fetch-user", HeaderValue::from_static("?1"));
    }

    headers.insert("sec-fetch-dest", HeaderValue::from_static(dest));

    if let Some(r) = referer {
        if let Ok(val) = HeaderValue::from_str(r) {
            headers.insert(http::header::REFERER, val);
        }
    }

    // 3. Compression & Language
    let encoding = if profile.headers.zstd_encoding {
        "gzip, deflate, br, zstd"
    } else {
        "gzip, deflate, br"
    };
    headers.insert(ACCEPT_ENCODING, HeaderValue::from_static(encoding));
    if let Ok(val) = HeaderValue::from_str(&profile.headers.accept_language) {
        headers.insert(ACCEPT_LANGUAGE, val);
    }

    // 4. Chrome Priority Header (u=0, i for navigations)
    if profile.headers.include_priority_header {
        headers.insert("priority", HeaderValue::from_static("u=0, i"));
    }

    // 5. HPACK "Never Index" (Sensitive) markers.
    // Chrome explicitly marks cookies and auth headers as sensitive. This forces
    // the HPACK encoder to use the "Literal Header Field Never Indexed" representation,
    // which prevents these values from entering the dynamic table (CRIME mitigation).
    for (name, value) in headers.iter_mut() {
        if name == "cookie" || name == "authorization" {
            value.set_sensitive(true);
        }
    }

    // TODO(agent): Intelligent `:path` indexing.
    // If the request path exceeds a certain entropy/length threshold (e.g., > 40 chars
    // for unique REST API IDs), we should flag the `:path` pseudo-header as sensitive
    // to prevent dynamic table bloat, matching Chrome's behavior. This requires a patch
    // in the upstream `0x676e67/http2` fork to support `no_index` on pseudo-headers.
}