sticky: fixed/signed legacy addons not on AMO: No Resource URI Leak etc #191
Comments
Thorin-Oakenpants
changed the title
|
Thanks for fixing No Resource URI Leak (clone). |
|
Great, I didn't read nor include the COPYING file. I hope I can count on you with my legal fees. |
|
@earthlng added
and the audience replied : Bravo, thank you, merci, danke schön :) This sticky topic is and will become a reference for FF55+ users. Already mentioned on Ghacks.
Here on FF ESR 52 I have no issue with the original No Resource URI Leak 1.1.0 but is it advised to nevertheless update this add-on to its 1.1.1 version proposed here? Many thanks, earthlng. |
|
Sure, send the bill to Atavic .. I have promoted him to Secretary of Finance |
You're welcome, à votre service, gern geschehen :)
No. If the console output for caught exceptions in the original version bother you then you can use my version instead. Apart from that they work identical. |
|
I've nevertheless updated No Resource URI Leak 1.1.0 to No Resource URI Leak (clone) 1.1.1 even if not required with pre-FF55 for the sake of code improvement. "It's not because it works that you shouldn't improve it" |
|
@rekixex You can have a look at https://browserleaks.com/firefox it shows you what is leaked. I don't think the locale matters in any way.
Checkout https://thehackerblog.com/addon_scanner. More fingerprinting and other test sites are in the wiki P.S. Could you please stop spamming my email? Much appreciated. |
^^ TBH, this shows you a few things that can be leaked, focusing on FF/TBB internals Resource:// URIs declared There are other ways to detect addons - notably Adblockers, although TBH, a lot of them are generic and do not actually detect the extension, just the affect, AFAIK. I am sometimes accused of having AdBlock Plus, which I don't. Preferences can't be accessed directly, only induced - if they could be directly read, we'd be FP'able to the nth degree! [Note: this is what Sherlock Holmes almost always does - not deduction as he claims so often - tidbit included for crssi to help my beer funds ] |
|
:) Unfortunately I have understood it all. But to fill your jar, I can easily find some stupid question for beer sake? |
It is used in WE's as well: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Anatomy_of_a_WebExtension#Web_accessible_resources
atm all the default preferences files in FF can be accessed and read directly. |
Well, then that creates what? 10 distinct default pref sets? - Mac, Windows, Mobile, Focus, Various Linux? I can see default prefs giving away OS, build even. So loads of info just on defaults. OS, versions, builds... wouldn't be hard to work out combos unique to each one. Out of curiosity .. how is this accessible ATM ? resource leak? |
|
disable the addon and load https://browserleaks.com/firefox, then click on any of the filenames it detected and it will list you all the prefs in that file. OS and FF version can easily be detected that way f.e. check for a single pref that's new in 55 or a single pref that has a unique value in Mac or Linux, etc.
yes, it loads the resource:// files and provides its own 'pref' function that gets triggered for every pref("blahblah",true); function call in those files "ATM" because once they release the patch they're working on right now, those files will no longer be accessible |
It needs to be more precise than that, because that pref would only indicate FF55-PLUS. Like I said it wouldn't be hard to find combos of prefs+values unique to Every. Single. FF. Build. And. OS. I would rather be in the small group (until 57 hopefully) that creates a data bit for FP of "access denied" |
|
Was this issue resolved with today's update? 🎱 |
|
@L-a-n-g-o-l-i-e-r-s - what issue? Do you mean resource URI - the ticket is https://bugzilla.mozilla.org/show_bug.cgi?id=863246 - unresolved as yet. If anything happens, it still takes time - it has to go thru NIghtly, then Beta, then land in stable. So 57 would be the earliest. Dot releases do not contain new features. If you mean the addon, nah - if a legacy addon breaks it's because legacy code has been stripped - no coming back from that |
|
@Thorin-Oakenpants This didn't fix that issue? I thought the point was to mark everything legacy then tear the legs out from under it in 57. They're nothing if not inconsistent. 😡 ⚰️ Thanks 😅 |
|
@L-a-n-g-o-l-i-e-r-s FF 53.0.3 don't fix the issue of accessing resource:// access to Web content. |
|
@2glops I should have been more explicit with my original question, I was quite tired when I asked it, 😰 🌵 Thanks |
No that's not true. That bug in the update fixed an unrelated problem: https://bugzilla.mozilla.org/show_bug.cgi?id=1389160#c47
|
For some reason this question was in my head when I woke up: Hey sure, it can "read" what files are there, but surely it cannot "upload" them from your device and inspect the contents, right? That doesn't sound right to me. Or do you mean the local file can be integrated into content and read by JS? Can someone ELI5 how a website would read the actual pref values |
I already did ... #191 (comment) They cannot read it in it's raw form including the js comments for example, but they can re-construct the active code parts because there are only pref() and sticky_pref() functions in those files. They could then send the reconstructed file to a server. But there's no need to do that because a handful of those pref calls are enough to detect the OS + FF version. |
|
^^ Just as well its all locked down then. I feel a good nights sleep coming on .. no wait a minute ... damn, did you see my latest soapbox post? |
|
Secretary of Finance? I don't even own a credit card. |
|
@earthlng https://notabug.org/desktopd/no-resource-uri-leak/pulls/16 @no-resource-uri-leak-1.2.1.xpi.zip Despite the current FF nightly apparently fixing the resource leak issue, I doubt they have addressed extensions. Likewise I use Waterfox, anyway, which still supports XUL addons. |
|
From https://groups.google.com/d/msg/mozilla.dev.platform/00-1tT15mX0/TzUrOD93AAAJ:
|
|
Yes, unless you use an ESR release, or Waterfox until it's merged in. That said someone here should test it first to see if it really passes the tests. It doesn't just protect resource:// but others too... My modded version also should prevent extension fingerprinting as well. |
|
Hi @ilikenwf thanks. You'll not gonna be able to get it signed with the same id but more importantly I think you're breaking the logic here: I'll have to look at it in more detail, tomorrow maybe. |
|
Waterfox doesn't force signing, so I wasn't super worried about it since I've put in a PR to the addon dev's repo... I don't think the logic there is broken, necessarily, but it may need some parenthases for clarity because it's hard to read and was so before I even touched it...but the logic reads to me as "if the scheme is any of the things we filter and our policy of insercure about uris does not have the path, and the secure uris, or other policies has the path..... Admittedly I did this in about 5 minutes so I'm sure it could use cleanup at the very least. |
No I'm pretty sure it's broken, mate ;) It needs to be || You made it || You probably also only want to check for
I know, I nearly broke it myself when I tried to add some improvements to the addon :) |
|
Pushed that tweak.
…On Wed, Aug 30, 2017 at 4:00 PM, earthlng ***@***.***> wrote:
I don't think the logic there is broken
No I'm pretty sure it's broken. It needs to be *||* u.schemeIs ('about')
*&&* all the rest of it.
You made it *||* u.schemeIs ('moz-extension') *&&* all the rest of it.
it's hard to read and was so before I even touched it
I know, I nearly broke it myself when I tried to add some improvements to
the addon ;)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#191 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAZUOqGTu0K8DKRybL22sg3S4K_yEXmBks5sdc1bgaJpZM4OwAW1>
.
|
|
Yeah, still broken, that whitelist logic needs adjusted...the blocking works but the whitelists do not, meaning ublock etc options don't look or function properly. |
ghost
mentioned this issue
and others
AMO no longer allows the uploading of legacy addons. Unless you are the original developer, you cannot even upload a fixed clone. This is an issue - ESR will be on extended life support for almost a year (until 2018-06-26 I believe).
🔸 Fixed add-ons
multiprocessCompatibleflag@earthlng says:
FF55 seems to break SDK addons that use a relative path to load content scripts.
Using the absolute path fixes the problem in FF55+ and also works in older versions.
Until the addon devs release an update or someone @ mozilla fixes whatever caused the addon to break, you can use this copy - fixed by Yours truly xD
You need to configure your settings again because I had to change the addon ID.
I also removed the console output for caught exceptions (annoying and useless for end-users) + changed the name to make it easier to distinguish.
You can keep the original installed (disabled!) and wait for an official update.
download
Resource Test Page: https://browserleaks.com/firefox
The text was updated successfully, but these errors were encountered: