CSP headers prevents the extension from wrapping JS APIs #25
Comments
|
It seems that this bug is Firefox-only. |
|
|
|
Data encoded URLs are also not an option: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src |
|
This is known Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027, unfortunately it does not seem that they are making any progress lately. |
polcak
added
help wanted
|
A workaround could be to interact with page objects directly using https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts. However, that requires rewrite of the current code. Is window.wrappedJSObject supported in Chrome? |
|
Most probably not. I didn't find any solid evidence that window.wrappedJSObject is supported in Chrome. |
|
It seems that Firefox needs wrapping such as: However, such wrapping is incompatible with our current code. |
|
Proof of concept page https://www.fit.vutbr.cz/~ipolcak/firefox_csp_bug/csp.php |
|
JSR from c9a9b8b is able to wrap the code but there are some problems with returning code that cannot be accessed by page script. |
polcak
added
browser bug
A part of issue #40 handling. Background script caches the wrapping to be applied and also the information about CSP presence (#25). The hope is to improve speed and consequently, apply wrapping before page scripts kick in. Nevertheless, there the messages between background and page scripts is still asynchronous. Hence, the possibility to use or store unwrapped objects by page scripts early reamins. See #40 for more details.
|
This will be fixed in imminent 0.5 using the code by G. Maone |
* Add fingerprinting defenses based on Farbling developed by the Brave browser (improved or added
wrappers for Canvas, Audio, Web GL, device memory, hardware concurrency, enumerateDevices). Most
wrappers support provisioning of white lies that differ between origins and sessions (the
fingeprint is different across origins and across sessions).
* We claimed to generate white image fake Canvas value but instead generated fully transparent black image. We now generate the white image as it is more common in other anti-canvas fingerprinting tools (level 3).
* toDataUrl() no longer destructs the original canvas.
* We use NoScript Commons Library to simplify some tasks like cross-browser support.
* More reliable early content script configuration.
* CSP headers no longer prevents the extension from wrapping JS APIs in Firefox (Github issue #25)
* Wrappers should be injected reliably before page scripts start to operate (Github issue #40)
* We use NSCL to wrap APIs in iframes and workers
* It is no longer possible to access unwrapped functions from iframes and workers (Pagure issue #2, Github issue #56)
* Ignore trailing '.' in domain names when selecting appropriate custom level.
* Do not freeze wrappers to prevent fingeprintability of the users of JSR. We wrap the correct function
in the prototype chain instead.
* navigator.getGamepads() wrapper added
* navigator.activeVRDisplays() and navigator.xr wrappers added
* Limit precision of high resolution timestamps in the Event, VRFrameData, and Gamepad interface to be consistent
with Date and Performance precision
CSP like
Content-Security-Policy: default-src 'self';does not allow the wrapping to be executed. So far confirmed in FF.I see several options that can be applied:
window.evalin FFIn both cases, we need to make sure that the wrapping code is executed.
The text was updated successfully, but these errors were encountered: