Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not being able to guarantee interception #55

Open
ghostwords opened this issue Feb 11, 2018 · 8 comments
Open

Not being able to guarantee interception #55

ghostwords opened this issue Feb 11, 2018 · 8 comments

Comments

@ghostwords
Copy link

ghostwords commented Feb 11, 2018
edited
Loading

This is a problem with current WebExtensions APIs: we can either guarantee injection (into a frame) before anything else will happen, or we can inject conditionally/pass configuration to the injected script, but not both. There are workarounds and promising upcoming APIs, however.

Workarounds:

Upcoming APIs:
@gbaptista
Copy link
Owner

gbaptista commented Feb 11, 2018
edited
Loading

@ghostwords This is a major concern and I have tried several approaches to fix the problem. (working with cookies, local storage and other things).

Many thanks for sharing the Workarounds and Upcoming APIs. I will read all the discussions, there is certainly some gold there that I can use to try some solution for this!

@ghostwords ghostwords mentioned this issue Feb 12, 2018
Open
@gbaptista gbaptista mentioned this issue Feb 14, 2018
Merged
@gbaptista
Copy link
Owner

gbaptista commented Feb 15, 2018
edited
Loading

@ghostwords I believe I have found a solution (reading all the discussions and references) to ensure the interception. I used the cookie idea with a fallback to onCommitted solution.

I wrote some notes about my experience and the result: guides/how-it-works/interception.md

I'll keep an eye on the Upcoming APIs. Thanks again for sharing all this, it helped a lot to improve the project!

@ghostwords
Copy link
Author

ghostwords commented Feb 15, 2018
edited
Loading

Nice, I agree that the cookie approach seems to be the only workaround that provides synchronous messaging. However, the cookie workaround comes with many downsides, some already documented in your guide. One that comes to mind is the uncertainty around multiple frames (pes10k/web-api-manager#14 (comment)), another is it breaking in cookie-restricted environments (pes10k/web-api-manager#53).

I'm going to spend a little more time reviewing the options as part of EFForg/privacybadger#1861. Current feeling is to keep complexity low and accept the injection delay, and later switch to using chrome.contentScripts.register() in Firefox and lobby Chrome for a similar API. (Shouldn't Chrome and Firefox work together to keep WebExtensions as cross-browser aligned as possible?)

@gbaptista
Copy link
Owner

@ghostwords An update on this subject, I created a page with random iframes and random load times to better visualize the interceptions and I got some curious results: https://gbaptista.github.io/luminous/html/demos/interception/

I just open the page and try to block the execution of addEventListener('click'). As you already pointed out, the cookie strategy has problems and we ended up deleting the cookie before the time or letting the cookie leak for some reason. When the cookie fails, we have different results (in this scenario of multiple frames): Sometimes the storage.sync runs faster than the onCommitted. This is in the Luminous scenario, of course, but we may have similar results for other extensions.

Current feeling is to keep complexity low and accept the injection delay.

I understand this approach, it makes sense. In the case of Luminous we end up losing too many blocks with this, it's complicated.

and later switch to using chrome.contentScripts.register() in Firefox

I will do some experiments with contentScripts.register and webRequest.filterResponseData.

and lobby Chrome for a similar API

Could I help in any way in this?

Shouldn't Chrome and Firefox work together to keep WebExtensions as cross-browser aligned as possible?

Definitely!

Some screenshots of my experiments:

  • Chromium:

selection_367

  • Opera:

selection_369

  • Firefox:

selection_370

@gbaptista gbaptista mentioned this issue Mar 9, 2018
Merged
@gbaptista
Copy link
Owner

@ghostwords I tried both APIs (contentScripts.register and webRequest.filterResponseData). My impressions and results:

contentScripts.register

It did not work for me.

The extension may have different rules for 100 different domains, loading all rules with matches may create performance problems, it is tricky to try to deal with this without consuming unnecessary resources. Injecting the rules of all domains into any loaded page also did not seem to me an efficient option.

In my case I want to load rules inside iframes according to the domain of the main frame, I did not find a way to be able to do this type of verification with content_scripts and ended up loading rules only by domain.

So, for those who have only global rules for any domain may be a good choice, it is not my case.

Warning: using chrome.contentScripts.register instead of browser.contentScripts.register apparently works, but with the chrome alias the register call does not return a Promise, I wasted a lot of time until I figured this out.

webRequest.filterResponseData

It worked for me, but with some workarounds that can be tricky.

You need to know exactly where to insert the code, creating a script tag before a DOCTYPE tag for example will break the page. > workaround

Some sites (inbox.google.com, youtube.com, facebook.com...) make a request for new documents and just inject what was received into the current document and this can duplicate your injected code. > workaround

It is not possible (if anyone knows how, I will be very grateful!) from the perspective of a content_script (synchronously) to know if the browser has filterResponseData support. So deciding whether a browser will use filterResponseData or some other strategy ( cookie, onCommitted ...) is a problem. Also, when the first content_script is executed it can not see the code injected by filterResponseData immediately, which makes things even harder... The workaround is trying to identify the browser used to determine the strategy, something I'm definitely not happy about...

Results

Workarounds aside, with filterResponseData it was possible to inject the code without any delay and without needing cookies (Firefox only):

selection_372

Related resources

@Atavic
Copy link

Atavic commented Mar 13, 2018

...and lobby Chrome for a similar API

Could I help in any way in this?

https://groups.google.com/a/chromium.org/
http://www.chromium.org/developers/technical-discussion-groups

@gbaptista
Copy link
Owner

Another issue with filterResponseData: Fix Firefox binary files issue #94

@gbaptista
Copy link
Owner

@Atavic: Despite the interest, apparently no one is willing to work on this:

I have no idea how difficult that would be to implement this. I'll try to search for how it was done in Firefox... A good knowledge in C++ is certainly necessary, but what scared me was to see the requirements to build Chromium and try to implement something like this:

  • A 64-bit Intel machine with at least 8GB of RAM. More than 16GB is highly recommended.
  • At least 100GB of free disk space.

This was referenced Nov 19, 2018
Closed
Closed
@gbaptista gbaptista mentioned this issue Mar 21, 2019
Closed
@polcak polcak mentioned this issue May 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gbaptista @ghostwords @Atavic