Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix handling of non-default levels #40

Closed
polcak opened this issue May 18, 2020 · 6 comments
Closed

Fix handling of non-default levels #40

polcak opened this issue May 18, 2020 · 6 comments
Labels
browser bug Something isn't working and it would be better if it was fixed in broser(s) rather than this extens help wanted Extra attention is needed

Comments

@polcak
Copy link
Owner

polcak commented May 18, 2020

Currently, we store settings in 'browser.storage.sync', however, it seems that:

  • The callback is not called immediately (at least by Firefox)
  • The default level is applied instead of the correct one.
  • Also, the borrowed injectScript is called after page scripts, see https://www.fit.vutbr.cz/~ipolcak/firefox_csp_bug/nocsp.php which means that page scripts can keep unwrapped objects.

It is necessary to learn what makes Firefox launch page scripts before the document_start script finishes (for example, due to an asnychronous call). Fix the problem.
@polcak polcak added bug Something isn't working help wanted Extra attention is needed labels May 18, 2020
@polcak polcak added this to the 0.3 milestone May 18, 2020
@polcak
Copy link
Owner Author

polcak commented May 18, 2020

0.2.1 seems to insert wrapping before page scripts run

@polcak
Copy link
Owner Author

polcak commented May 19, 2020

Now, the injectScript is called before the page script without any change. There is an unpredictable race condition that needs to be revealed.

@polcak
Copy link
Owner Author

polcak commented May 24, 2020

If we go for promise-based approach: https://github.com/mozilla/webextension-polyfill

@polcak
Copy link
Owner Author

polcak commented May 29, 2020

So it seems that there is no (cross-browser) reliable way to ensure that content scripts finishes and insert the wrapping before page scripts start running, see:

@polcak polcak added browser bug Something isn't working and it would be better if it was fixed in broser(s) rather than this extens and removed bug Something isn't working labels May 29, 2020
polcak added a commit that referenced this issue Jun 4, 2020
@polcak
Cache wrapping in background script
6b51fa8 
A part of issue #40 handling.

Background script caches the wrapping to be applied and also the
information about CSP presence (#25). The hope is to improve speed and
consequently, apply wrapping before page scripts kick in. Nevertheless,
there the messages between background and page scripts is still
asynchronous. Hence, the possibility to use or store unwrapped objects
by page scripts early reamins. See #40 for more details.
polcak added a commit that referenced this issue Jun 4, 2020
@polcak
Merge branch caching wrapping in background script
28452fa 
This elminates async browser.storage.sync, however, the message passing
is still asynchronous. So #40 is not fixed.

This also helps with #25 because backgound remembers domains afftected
by the CSP bug in Firefox.
@polcak polcak removed this from the 0.3 milestone Jun 4, 2020
@polcak polcak mentioned this issue Jun 23, 2020
Closed
@polcak polcak mentioned this issue Sep 18, 2020
Closed
@polcak
Copy link
Owner Author

polcak commented May 4, 2021

#71 marked as duplicate

@polcak
Copy link
Owner Author

polcak commented Aug 20, 2021

This will be fixed in imminent 0.5 using the code from NSCL

@polcak polcak closed this as completed Aug 20, 2021
polcak added a commit that referenced this issue Sep 15, 2021
@polcak
0.5 release
3cb109d 
* Add fingerprinting defenses based on Farbling developed by the Brave browser (improved or added
        wrappers for Canvas, Audio, Web GL, device memory, hardware concurrency, enumerateDevices). Most
        wrappers support provisioning of white lies that differ between origins and sessions (the
        fingeprint is different across origins and across sessions).
 * We claimed to generate white image fake Canvas value but instead generated fully transparent black image. We now generate the white image as it is more common in other anti-canvas fingerprinting tools (level 3).
 * toDataUrl() no longer destructs the original canvas.
* We use NoScript Commons Library to simplify some tasks like cross-browser support.
 * More reliable early content script configuration.
   * CSP headers no longer prevents the extension from wrapping JS APIs in Firefox (Github issue #25)
   * Wrappers should be injected reliably before page scripts start to operate (Github issue #40)
 * We use NSCL to wrap APIs in iframes and workers
   * It is no longer possible to access unwrapped functions from iframes and workers (Pagure issue #2, Github issue #56)
* Ignore trailing '.' in domain names when selecting appropriate custom level.
* Do not freeze wrappers to prevent fingeprintability of the users of JSR. We wrap the correct function
        in the prototype chain instead.
* navigator.getGamepads() wrapper added
* navigator.activeVRDisplays() and navigator.xr wrappers added
* Limit precision of high resolution timestamps in the Event, VRFrameData, and Gamepad interface to be consistent
        with Date and Performance precision
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
browser bug Something isn't working and it would be better if it was fixed in broser(s) rather than this extens help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@polcak