FYI: web_accessible_resources & UUID [Bug 1372288, 1405971] #227
Comments
|
The system addons that came with nightly 57 can no longer be extracted with Windows Explorer on Win7. |
Not yet: greasemonkey/greasemonkey#2551 |
|
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/web_accessible_resources
FWIW, you can check if an extension has web_accessible_resources by checking its manifest.json. |
|
Does it only affect extensions that have a content script? Are extensions using exclusively a background script affected as well? |
|
It's the websites that lurk via
See: https://github.com/gorhill/uBlock/wiki/Firefox-WebExtensions#differences-with-ubolegacy |
No, afaik only WebExtensions with web_accessible_resources edit: https://bugzilla.mozilla.org/show_bug.cgi?id=1372288#c19
|
|
CanvasBlocker uses content scripts but I do not see how it could leak the UUID. PS: CB is not yet a WebExtension because of a missing API. |
I understand that. This was more of a wake up, initial check and if the WE devs are aware*, they know to steer clear of it. Its not an easy fix within Firefox by the sounds of it. The ticket is now open. 3 months and not much visible activity. Suddenly (90 days later?) the whitepaper is published. The PoC (and article) probably helped sway the decision to open the ticket. And we have a flurry of comments. I do not see this being resolved in time for ESR, let alone 57. So it would be nice to know for those if any of these WE can leak - including those not WE yet. |
|
SSleuth has no WE yet, due to missing API. |
@earthlng: Let me know. https://github.com/Theemim/GeckoScratchpadSnippets/blob/master/GeckoZipReader.js |
|
Thanks @sibiantony - is it this one?: https://bugzilla.mozilla.org/show_bug.cgi?id=1322748 PS: I don't expect devs to work around this. I expect Mozilla to work out a better permissions model, but it sounds complicated. |
@Thorin-Oakenpants Yes, that's the one. |
|
In Link Cleaner's case, it doesn't inject anything into web pages and doesn't have any web_accessible_resources, so it shouldn't be affected. |
uBO does not declare |
|
Same with uMatrix, no |
|
@Theemim holy shit man, you're a fucking god! Thanks mate!! 👍 👍 👍 |
|
Even though both Firefox Screenshots and Decentraleyes make use of the The proof of concept relies on the fact that Firefox Screenshots creates an anchor element with a Another way of obtaining the Based on what I have stated above, I do not believe Decentraleyes is currently leaking out unique user identifiers. That said, of course, please do get in touch if you think I'm overlooking something. |
Today I prepped it up for release, but then I realized I will have to wait for Firefox 56, there is a bug that was fixed in it, which I consider crippling in Firefox 55: https://bugzilla.mozilla.org/show_bug.cgi?id=1324499. |
|
Thanks for clarifying @Thorin-Oakenpants, and no worries! I completely understand.
You're welcome, and I'm happy to hear you appreciate the work! |
|
First, the "greasemonkey" user is a project user that no human ever logs in to (nor will ever see at-mentions of). Second the above-linked bug is just the "port user data" (from legacy->webext) issue. Third: I have always had issues with Mozilla's documentation ever since starting WebExt porting work, but this sounds like an even bigger one. Hilariously: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/web_accessible_resources
If I've interpreted the giant thread above correctly, the true fact is that ever using My work-in-progress Greasemonkey port does use |
|
@arantius Thanks for dropping by, and thanks for your porting work. Much appreciated. I kind of assumed (and it may not even be an issue soon if Mozilla patch quickly enough), that since ViolentMonkey didn't use any web_accessible_resources (and I know GM and VM are not the same project), that you wouldn't either. That said, if you're not injecting these resources into the page (and clearly you aren't), I think you're fine. Certainly not your fault, and not a reason for you to change your design at all. It's a mozilla problem. The mozilla documentation wouldn't reflect the bugzilla information, it was only opened up to the public a few days ago. Giant thread? Nah mate, that's a dwarf :) PS: I agree about the few crappy UI options. |
|
Ah, but I am injecting. Into, I believe, (plain text) pages that could never observe the insertion with a script, but still. |
|
Yes, I mean injecting those resources into WEB pages - not protected options/interfaces/settings/dialogs |
|
https://github.com/greasemonkey/greasemonkey/blob/master/src/content/script-detect.js#L30 After mime type detection, we inject, into web content. |
|
For whatever it's worth, uBO does use an |
As said above, because limited UI options. I don't want to fire a whole tab, I can't open my own page action dialog (which would otherwise be perfect). So I'm injecting an iframe wherein I can put my small bit of UI. Theoretically, I could re-write to replace the document with my own, which injects the original content into a frame. Not totally sure that would help, and I'd rather the platform just doesn't present this opportunity. For my usage, an extra randomized/obfuscation of the result of |
|
FYI: CanvasBlocker is a WebExtension since version 0.4.0 |
Thorin-Oakenpants
changed the title
|
Apparently Tree Style Tab could be affected by this as it uses @piroor Do you see any way to get this feature to work in TST without |
Thorin-Oakenpants
changed the title
Update:The manifest key This is the only solution for the following uBO's issues:
And this will also be the only solution to fix: FirefoxThese web accessible resources are never exposed to the DOM -- hence uBO's unique extension id on Firefox cannot be seen by web pages (just as with Decentraleyes). ChromiumuBlock Origin (or any extension) on Chromium is not assigned a unique extension id, it is assigned a static extension id, used by all installations of uBO. This means that a web page could try to fetch a resource known to be "web accessible" in order to directly find out that uBO is installed -- hence more information for fingerprinting (see http://singularity.be/public/papers/extensions.pdf). This is essentially that leakage of information that prevented me from using uBO foils such information leak by requiring that the fetching of any web accessible resource be done using a secret, which secret is randomly generated at launch time. Without the secret, known only to uBO, the fetch will fail as if the resource does not exist, as if Demonstration of such direct detection which is foiled by uBO:
However the above won't work with uBO despite it now declaring
Addendum (2018-02-17):I experimented further with the case of XMLHttpRequest, which can expose the URL resulting from redirection (through As a result, I modified the code such that no redirection to web accessible resources will take place when dealing with |
|
Thanks for the detailed info @gorhill ! 👍 |
Thorin-Oakenpants
changed the title
Thorin-Oakenpants
changed the title
NOTE: the vetting we did on system addons and some extensions is no longer maintained here, some checks were last updated in Feb 2018. It is up to you to vet your extensions for this issue.
Update (Dec 11th 2019)
If we recommend a web extension, lets make sure it doesn't leak UUIDs
@gorhill @mrdokenny @idlewan @tumpio @einaregilsson @meh @Synzvato @EFForg @kkapsner @greasemonkey @sibiantony
^^ sorry for all the @'s, hopefully this will bring it to your attention if you weren't aware, and appreciate your time if you can spare it for a quick answer, otherwise we can dig in ourselves. This issue may be fixed by Mozilla, but it would be good to know if these WE's are not affected, or can be fixed to not leak - thanks
currently access denied, will be opened up soonsystem addons
==> Screenshots is the only system addon affected ATM(!)
===> see .extension.getURL + path:browser/extensions/ web_accessible_resources
web extensions
* web_accessible_resources are declared but are never exposed to the DOM
* see Synzvato's comment below
[1] and FYI the legacy versions do not expose
resource://other web ext
web extensions not ready yet
...
The text was updated successfully, but these errors were encountered: