Verify feature detection message #369
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hmm... Looks like we have a test failure for Firefox 67.0. Not sure if it's a flake or a real failure (can't seem to trigger a retry from my side). |
lewisl9029
commented
Apr 22, 2023
| supportsImportMeta = data[1]; | ||
| supportsCssAssertions = data[2]; | ||
| supportsJsonAssertions = data[3]; | ||
| const isFeatureDetectionMessage = Array.isArray(data) && data[0] === 'esms' |
There was a problem hiding this comment.
We could potentially make this a bit more resistant to forgery by generating some random bytes instead of this hardcoded string. But I don't see what a potential attacker has to gain by taking over feature detection, so there might not be a need?
There was a problem hiding this comment.
Agreed, we don't need to be forge resistant.
guybedford
approved these changes
Apr 23, 2023
| supportsImportMeta = data[1]; | ||
| supportsCssAssertions = data[2]; | ||
| supportsJsonAssertions = data[3]; | ||
| const isFeatureDetectionMessage = Array.isArray(data) && data[0] === 'esms' |
There was a problem hiding this comment.
Agreed, we don't need to be forge resistant.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I was also running into intermittent feature detection failures similar to the ones mentioned in #368 once I upgraded to 1.7.1 on https://reflame.app, so I made a custom build with some additional logging on the message callback function and found a pretty big clue:
Looks like the root of the issue might be that we're not verifying the source of the message, so anything that calls postMessage before es-module-shims (in this case the react dev tools extension) can cause feature detection to fail, often non-deterministically due to races.
Looking at this previous related issue, I think this is the more likely cause for that one too rather than some security policy (i.e. something on the page called postMessage with
undefinedas the message). So I removed the previous branch where we continue to resolve feature detection even after failing validation, and instead opting to return early and wait for the next message. WDYT?Also, I added the debug build as an exported module so it can be accessed from the npm package as well.