Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: disable creation of window.ipfs attribute in Firefox #495

Merged
merged 4 commits into from
Jun 15, 2018
Merged

feat: disable creation of window.ipfs attribute in Firefox #495

merged 4 commits into from
Jun 15, 2018

Conversation

lidel
Copy link
Member

@lidel lidel commented Jun 8, 2018
edited
Loading

This PR enables Firefox users to disable creation of window.ipfs attribute via Preferences screen, solving fingerprinting issue raised in #451.

It requires webpack, so should be merged after #498

Background

Existing tabs.executeScript API with runAt: 'document_start' flag was executing too late and page scripts were unable to detect window.ipfs correctly. More info on the underlying issue: #368 #362 (comment)

As a workaround that worked in both Chrome and Firefox, we were forced to always load content script via manifest definition. This meant no control over when it is loaded and no easy off switch. If window.ipfs was disabled via Preferences, it was throwing an Error on access, but remained in the scope.

Mozilla added contentScripts API in Firefox 59. The key difference between tabs.executeScript and contentScripts API is that the latter provides guarantee to execute before anything else on the page, passing our synchronous smoke test.

Known Issues

Chrome does not provide contentScripts API so it will continue to statically load content_script via manifest. Hopefully with time, other browser vendors will adopt the new API.

@lidel lidel requested a review from alanshaw June 8, 2018 17:11
@lidel lidel self-assigned this Jun 13, 2018
@lidel
fix: avoid window.ipfs in non-HTML context
4482b40 
Injecting proxy into application/xml produced malformed XML and SVG files.
This adds some sanity-checks and ensures injection happens only in HTML
contexts. It also improves performance by avoiding unnecessary port creation.
@lidel
feat: use browser.contentScripts API in Firefox
52b0190 
This change enables Firefox users to disable creation of window.ipfs,
solving fingerprinting issue raised in:
#451

The key difference between tabs.executeScript and contentScripts API
is that the latter provides guarantee to execute before anything else.

Chrome does not provide contentScripts API and we need to statically
load content_script via  manifest.

More info on the underlying issue:
#368
#362 (comment)
@lidel
fix: Fix addon-linter error for /content_scripts
f3e3628 
MANIFEST_FIELD_INVALID   "/content_scripts" should be array
@lidel
fix: change script name to webpack bundle
3c53eb5
@lidel lidel merged commit 032ebdd into master Jun 15, 2018
@lidel lidel deleted the feat/hide-window.ipfs branch June 15, 2018 09:05
@lidel lidel mentioned this pull request Jun 20, 2018
Closed
@lidel lidel changed the title feat: disable creation of window.ipfs attribute feat: disable creation of window.ipfs attribute in Firefox Jul 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alanshaw alanshaw Awaiting requested review from alanshaw

Assignees

@lidel lidel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lidel