Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: disable creation of window.ipfs attribute in Firefox #495

Merged
merged 4 commits into from
Jun 15, 2018

Conversation

lidel
Copy link
Member

@lidel lidel commented Jun 8, 2018

This PR enables Firefox users to disable creation of window.ipfs attribute via Preferences screen, solving fingerprinting issue raised in #451.

It requires webpack, so should be merged after #498

Background

Existing tabs.executeScript API with runAt: 'document_start' flag was executing too late and page scripts were unable to detect window.ipfs correctly. More info on the underlying issue: #368 #362 (comment)

As a workaround that worked in both Chrome and Firefox, we were forced to always load content script via manifest definition. This meant no control over when it is loaded and no easy off switch. If window.ipfs was disabled via Preferences, it was throwing an Error on access, but remained in the scope.

Mozilla added contentScripts API in Firefox 59. The key difference between tabs.executeScript and contentScripts API is that the latter provides guarantee to execute before anything else on the page, passing our synchronous smoke test.

Known Issues

Chrome does not provide contentScripts API so it will continue to statically load content_script via manifest. Hopefully with time, other browser vendors will adopt the new API.

@lidel lidel requested a review from alanshaw June 8, 2018 17:11
@lidel lidel force-pushed the feat/hide-window.ipfs branch from 7e3731b to fccc7d3 Compare June 13, 2018 12:12
@lidel lidel self-assigned this Jun 13, 2018
lidel added 4 commits June 15, 2018 00:22
Injecting proxy into application/xml produced malformed XML and SVG files.
This adds some sanity-checks and ensures injection happens only in HTML
contexts. It also improves performance by avoiding unnecessary port creation.
This change enables Firefox users to disable creation of window.ipfs,
solving fingerprinting issue raised in:
#451

The key difference between tabs.executeScript and contentScripts API
is that the latter provides guarantee to execute before anything else.

Chrome does not provide contentScripts API and we need to statically
load content_script via  manifest.

More info on the underlying issue:
#368
#362 (comment)
MANIFEST_FIELD_INVALID   "/content_scripts" should be array
@lidel lidel force-pushed the feat/hide-window.ipfs branch from fccc7d3 to 3c53eb5 Compare June 14, 2018 22:42
@lidel lidel merged commit 032ebdd into master Jun 15, 2018
@lidel lidel deleted the feat/hide-window.ipfs branch June 15, 2018 09:05
@lidel lidel changed the title feat: disable creation of window.ipfs attribute feat: disable creation of window.ipfs attribute in Firefox Jul 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant