Skip to content

Security

19RyanA edited this page Feb 4, 2016 · 3 revisions

Since the readme is way too cluttered, I've moved this to the wiki. The following info is displayed in FAQ format because I'd rather not write an essay on it.

Basic information

Why doesn't the online version of Check PCR communicated directly with PCR like the extension does?

This is because of a great security measure on web browsers called the same-origin policy, which basically prevents one website from accessing data from another website. So, a malicious website couldn't load mail.google.com, along with its cookies (how your logged in session is remembered), and have access to all your emails.

So how does Check PCR get your assignments from PCR?

Whenever a browser loads a webpage, it sends a request to the server hosting the webpage, which performs some action (typically reading the page you requested from its hard drive) and sends something back (typically that file). When Check PCR's server is asked to load your assignments from PCR, however, the browser sends a request to the server that also contains your credentials, then the server sends a request to PCR with these credentials, which replies back with your assignments, which are then sent to your browser.

Because the browser is always sending requests to Check PCR's server, it can retrieve your assignments from PCR and satisfy the same origin policy.

What is going on in the program?

You'll have to trust me on this one, but if you set it to not remember you, the program will just send a request to PCR, then remove all the formatting that makes the page look pretty and not just a blob of text, and send a blob of text (more specifically a JSON document) back. If you set it to remember you, it will encrypt your username and password and store them on the server. If it detects that you are not logged in, it will decrypt them, send them to PCR, and proceed as above.

Why does the extension work?

Chrome extensions can request special permissions that ordinary websites can't have. For example, ad blockers require permission to modify any webpage you visit so they can delete ads. Because I didn't publish Check PCR on the Chrome Web Store, you won't see any notice like this, but if you look at the extension manifest, you'll see that under permissions PCR is listed, and this allows the extension to access PCR.

The main code

If you are feeling bored and have nothing else to do or are suspicious of what the program does with your password, feel free to take a look at the main Literate CoffeeScript code and the code that runs on the welcome page. To compile these files into the javascript ones used on the page, see https://github.com/19RyanA/CheckPCR#compiling--hacking.

List of external scripts

  • headroom.js, downloaded from here, which toggles the navbar visibility
  • hammer.js, downloaded from here, which enables touch interactions events such as panning and swiping
  • Chrono, downloaded from here, which parses dates given in natural language
  • Google's Diff, Match, and Patch library from here, which does diffing as the name states
    • Modified (deleted ,j=j.replace(c,"&amp;").replace(d,"&lt;").replace(e,"&gt;").replace(f,"&para;<br>")) to preserve HTML tags
  • TinyColor, downlaoded from here, which does color arithmetic
  • The Parse Javascript SDK, downloaded from here, which, well, communicates with Parse
  • Stanford Javascript Crypto Library, downloaded from here, which is used to encrypt the data stored in Parse