-
-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wiktionary archives since 2023-02 contain a redirect which breaks out of iframe #1803
Comments
Originally posted by @Jaifroid in kiwix/kiwix-js#972 (comment)
|
While I agree that this needs to be fixed here in mwoffliner, I wouldn't say that kiwix-js doesn't need changes. No other viewer except specifically kiwix-js ServiceWorker mode is having this problem. They tell new computer users to not click on suspicious links. The behavior of kiwix-js failing to remove the redirect is equivalent to making users' computers automatically click on links. That advice applies less to today's web as browsers have improved. Likewise I would prefer a strong sandbox in kiwix-js where I don't have to worry about whether the zim I open is malicious or not. Unless kiwix-js is based on loading each "piece of JS" that you are talking about and it's too hard to change? This "rouge piece of JS" is likely the one at mw.loader.implement( "mediawiki.page.ready@", {
"main": "ready.js",
"files": {
"ready.js": function ( require, module, exports ) {
var checkboxShift = require( './checkboxShift.js' );
var config = require( './config.json' );
// Break out of framesets
if ( mw.config.get( 'wgBreakFrames' ) ) {
// Note: In IE < 9 strict comparison to window is non-standard (the standard didn't exist yet)
// it works only comparing to window.self or window.window (https://stackoverflow.com/q/4850978/319266)
if ( window.top !== window.self ) {
// Un-trap us from framesets
window.top.location.href = location.href;
}
}
// ... I tend to prefer client-side solutions as those would apply to all zims retroactively. It's a little past the 2 year anniversary of me opening #1033 originally for kiwix-android and that only got fixed this year. I expect a 3 month wait if this has to be fixed in mwoffliner and that still wouldn't make that zim usable in kiwix-js ServiceWorker like the other viewers. |
@danielzgtg Point taken! I agree that a rigorous sandbox is required, and I put the most rigorous one I could into the PWA version (pwa.kiwix.org), which blocks any access to content from the Web, as can be seen by looking at console.log for almost any ZIM opened (there are often font files, the odd svg, etc. that ZIMs try to access, especially Zimit ZIMs). However there was no consensus on my doing this for Kiwix JS when I last broached it. Having said that, in this case a sandbox makes no difference: the JS doesn't attempt to navigate outside of the local origin, and no amount of sandboxing could stop this. Hence, three Kiwix apps that use iframes are affected:
I can indeed put in a patch in both JS readers that gets rid of this code (and many thanks for identifying it), and this may be the only way to deal with it quickly, unless @kelson42 thinks this JS can be removed at source (which would be the cleanest option) in a relatively quick timescale? @kelson42 what is your advice? |
I opened kiwix/kiwix-js-pwa#376 to test a local patch for this, and re-opened kiwix/kiwix-js#972 so that other users noticing this error will see there is an issue raised. |
The rogue redirect JS also affects pwa.kiwix.org
Two hours later, I managed to break out of the sandbox to display an image from the web. That may waste users' data, and a malicious actor would much worse things. I think we will have to settle with fixing non-malicious zims. A sandbox is only practical when enforced from C++/Java. A sandbox as Javascript code would either be leaky or very slow. I spend hours tying to Patching to disable specific scripts looks ugly, but it seems like it's the only viable solution. Unless you disable all scripts or have C++/Java, scripts can always be crafted to evade detection in a cat-and-mouse game. It will fix the non-malicious zims though. Removing it at source in addition to that is also nice at it will improve compression.
There is something at kiwix/kiwix-js#972 (comment) . Ideally we need to completely restrict |
@danielzgtg Regarding what is relevant for fixing the ZIM at source, the most obvious thing would be not to scrape that script, which would be relatively simple, as it is not a script that does anything that we need in an offline ZIM, and is in fact harmful (in terms of breaking JS-based controls that use iframes), as you have diagnosed. The other issues you mention about sandboxing are relevant to specific readers/clients, so let's discuss those in the appropriate issues. NB I have a fix for the PWA version that I'm testing, but will let you know here when I have a publicly accessible build. |
@pavel-karatsiuba Is there an elegant way to solve this without breaking other scrapes with other Mediawiki instances? |
@kelson42 |
@kelson42 where exactly is this special behaviour comming from? How is that related to startup module? |
@kelson42 |
@pavel-karatsiuba Please rename the function has it is now more generic and handle the case. Just to be sure: how many times this function is called within a scrape? |
Originally posted by @danielzgtg in kiwix/kiwix-js#972 (comment)
The text was updated successfully, but these errors were encountered: