Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make firefox problems go away #928

Merged
merged 2 commits into from
Sep 2, 2024
Merged

Conversation

tbodt
Copy link
Contributor

@tbodt tbodt commented Sep 1, 2024

Fixed two, including the one that (afaik) got the addon taken down from AMO.

Just load the sandbox from a blob url, then the extension CSP doesn't
apply to it.
Load the abs.twimg.com in the sandbox which does not run into the
firefox builtin blocker, i'm guessing because its js world is considered
part of the twitter.com page and thus allowed to bypass the twitter.com
blocker or some shit idk
@dimdenGD
Copy link
Owner

dimdenGD commented Sep 2, 2024

I don't understand what this PR does. Looks like just restructured code to me. Extension was taken down for using eval, you can't really fix that.

@tbodt
Copy link
Contributor Author

tbodt commented Sep 2, 2024

First commit removes the content_security_policy from the manifest. Now the challenge code is evaluated in the context of twitter.com and not the extension. That was the issue, right?

Second commit resolves the bug where enhanced tracking protection made the fetch for the challenge fail, which I didn't know about for a long time because that was just timing out and then using unsigned requests, until I git pulled the repo to work on this and got the alert() about unsigned requests no longer being allowed. Just making the fetch in the twitter.com context fixes this. This is useful regardless of A.M.O policies.

@tbodt
Copy link
Contributor Author

tbodt commented Sep 2, 2024

Like, the sandbox.html was a very ineffective sandbox - it had full access to extension APIs with the permission of the extension, and twitter could have pushed code which would remotely execute with the permission of the extension. No longer possible when loading the sandbox from the origin of a twitter blob url, it would now just run with the permission of twitter.com as was designed. Now that I'm explaining it here it seems clear that this is worth fixing for chrome too.

@dimdenGD
Copy link
Owner

dimdenGD commented Sep 2, 2024

Hm, I didn't know you can use object urls for iframes. I don't know if it'll pass AMO's review, but it's a worth a try, thanks!

@dimdenGD dimdenGD merged commit 1f06d6b into dimdenGD:master Sep 2, 2024
2 checks passed
@dimdenGD
Copy link
Owner

dimdenGD commented Sep 2, 2024

Also, Chrome version is using built-in sandbox feature in manifest, so it can't access any APIs

@tbodt
Copy link
Contributor Author

tbodt commented Sep 2, 2024

Oh didn't know that. I guess the issue is firefox doesn't support the sandbox mode

@tbodt tbodt deleted the fix-firefox branch September 2, 2024 23:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants