Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove all web_accessible_resources, inject page code with Blob urls. #86

Merged
merged 15 commits into from
Jul 28, 2018
Merged

Remove all web_accessible_resources, inject page code with Blob urls. #86

merged 15 commits into from
Jul 28, 2018

Conversation

cowlicks
Copy link
Owner

Having web accessible resources exposes us to some fingerprinting techniques related to a bug in firefox (link).

This also has other benefits.

  • Now that we inject scripts with blob URL's we should avoid problems with sites that have restrictive CSP's that might block extension:// urls.
  • The fingerprinting script now also no-longer gets injected with a data attribute that is observable by the page, this makes it harder for a malicious site to try to interfere with PP.
  • We can now handle the contentscripts in a more testable way, like other modules we have.

Thanks to violentmonkey for inspiring me with this blogpost.

cowlicks added 15 commits July 24, 2018 14:18
@cowlicks
Add fingercounting init function
becb008
@cowlicks
Add contentscripts to inject, fix test
8b163fa
@cowlicks
Put FP script in make funcion, make requireable.
5d62da6
@cowlicks
Use makeFingerCounting in contentscript injection.
0ac5827
@cowlicks
rm fingercounting from web_accessible_resources
fea21a4
@cowlicks
Remove web_accessible directory.
f2ababa
@cowlicks
Make injector into intialize_contentscripts
d332fc7
@cowlicks
Reflect file moves in the code.
9e72650
@cowlicks
fix missed instance of web_accessible
cc523c2
@cowlicks
better names in contentscript initializer
6c750f7
@cowlicks
revokeObjectURL
1cb2b83
@cowlicks
Rm unneeded data attr getting from script tag
ebf4e75
@cowlicks
Fix two incorrect names in init_contentscripts
76ee190
@cowlicks
Fix eslint problems in fingercounting_test
2087719
@cowlicks
Fix bug with script property access in Firefox
a13120f 
Related to this:
https://blog.mozilla.org/addons/2014/04/10/changes-to-unsafewindow-for-the-add-on-sdk/

closes #56
@cowlicks cowlicks merged commit 4330975 into master Jul 28, 2018
@cowlicks cowlicks mentioned this pull request Jul 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cowlicks