#156 Subresource Integrity Improvement

Closed
opened 6 months ago by Boxxy · 5 comments
Boxxy commented 6 months ago

Hi, I was wondering if it would be possible for the extension to give a pop-up when it detects that a site uses subresource integrity if the HTML Filter isn't being used, or if the extension is being used on Chrome, so that I could immediately know why it's breaking, or if there could be an option for the extension to automatically disable itself if it detects subresource integrity being used.

Hi, I was wondering if it would be possible for the extension to give a pop-up when it detects that a site uses subresource integrity if the HTML Filter isn't being used, or if the extension is being used on Chrome, so that I could immediately know why it's breaking, or if there could be an option for the extension to automatically disable itself if it detects subresource integrity being used.
nobody added the
question/discussion
label 6 months ago
nobody commented 6 months ago
Owner

This is a difficult question. Popups aren't good for this. The extension should work as quietly as possible in the background. Popups could annoy a user. I thought about a note in the icon, maybe where the counter is located. But this isn't visible on mobile devices.

However, the problem is that the extension uses webRequest.onBeforeRequest. It detects requests to specific URLs (CDNs) and redirects to local or blocks them. Unfortunately, there is no way to determine if a request was successful. Thomas Rientjes (developer of Decentraleyes) wrote a bugreport about that 3 years ago. This bugreport has the status "P5" and means

We basically never want this. If somebody implements it and asks for review, we might look at it. If a posted patch involves any significant complexity, it will probably be rejected.

Bugzilla:Priority System

Finally, you have to search the HTML code for these tags every time you load a website. Depending on the length of the HTML code, it needs more or sometimes less time. I think this is unnecessary, but the option is already built in.

You can enable the HTML filter permanently in the options, then the source code will be searched for these tags every time and will be removed. If a website does not work, you can deactivate the filter there and it will be put on a list. If you enable the HTML-Filter permanently on, the "enable list" is used as "disable list".

This is a difficult question. Popups aren't good for this. The extension should work as quietly as possible in the background. Popups could annoy a user. I thought about a note in the icon, maybe where the counter is located. But this isn't visible on mobile devices. However, the problem is that the extension uses [webRequest.onBeforeRequest](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onBeforeRequest). It detects requests to specific URLs (CDNs) and redirects to local or blocks them. Unfortunately, there is no way to determine if a request was successful. Thomas Rientjes (developer of Decentraleyes) wrote a [bugreport](https://bugzilla.mozilla.org/show_bug.cgi?id=1419459) about that 3 years ago. This bugreport has the status "P5" and means > We basically never want this. If somebody implements it and asks for review, we might look at it. If a posted patch involves any significant complexity, it will probably be rejected. > > [Bugzilla:Priority System](https://wiki.mozilla.org/Bugzilla:Priority_System) Finally, you have to search the HTML code for these tags every time you load a website. Depending on the length of the HTML code, it needs more or sometimes less time. I think this is unnecessary, but the option is already built in. You can enable the HTML filter permanently in the options, then the source code will be searched for these tags every time and will be removed. If a website does not work, you can deactivate the filter there and it will be put on a list. If you enable the HTML-Filter permanently on, the "enable list" is used as "disable list".
Boxxy commented 6 months ago
Poster

Yeah a pop-up could be a bit annoying, I think the idea with a note on the icon would be good, and while it wouldn't be noticeable on mobile, on desktop it would be a good improvement in regards to now, where I don't know if a site is breaking, thinking it's my adblocker (until I look in the console).

I'm not a dev, but can extensions read the console? Maybe it can check the console on load to see if it detects an error message stating that a resource couldn't be loading due to SRI?

I would use the HTML Filter if I was on Firefox but I use Chrome unfortunately.

EDIT: I found this but I'm not sure if it could work with an extension,
https://github.com/ianpgall/js-console-listener

Yeah a pop-up could be a bit annoying, I think the idea with a note on the icon would be good, and while it wouldn't be noticeable on mobile, on desktop it would be a good improvement in regards to now, where I don't know if a site is breaking, thinking it's my adblocker (until I look in the console). I'm not a dev, but can extensions read the console? Maybe it can check the console on load to see if it detects an error message stating that a resource couldn't be loading due to SRI? I would use the HTML Filter if I was on Firefox but I use Chrome unfortunately. EDIT: I found this but I'm not sure if it could work with an extension, https://github.com/ianpgall/js-console-listener
nobody commented 6 months ago
Owner

can extensions read the console?

Not directly and one to one. You cannot determine whether it's a CORS error or a network error. Network errors include DNS problems or wrong file names or paths.

Regardless of this I don't think it's a good idea to catch them from the console. It would just be a workaround. Depending on the website there are a lot of information.

I've a small example where you can see this. You only need an extension and you have to activate all the 'Show ...' checkboxes.

Example:
https://addons.mozilla.org/de/firefox/addon/javascript-errors/
https://newlook.dteenergy.com/wps/wcm/connect/dte-web/home

I would use the HTML Filter if I was on Firefox but I use Chrome unfortunately.

Ah ok, the filter isn't supported by chromium. Of course I hope this will be supported by Chromium in the future. In that case only a few lines of code need to be changed in LocalCDN.

> can extensions read the console? Not directly and one to one. You cannot determine whether it's a CORS error or a network error. Network errors include DNS problems or wrong file names or paths. Regardless of this I don't think it's a good idea to catch them from the console. It would just be a workaround. Depending on the website there are a lot of information. I've a small example where you can see this. You only need an extension and you have to activate all the 'Show ...' checkboxes. Example: https://addons.mozilla.org/de/firefox/addon/javascript-errors/ https://newlook.dteenergy.com/wps/wcm/connect/dte-web/home > I would use the HTML Filter if I was on Firefox but I use Chrome unfortunately. Ah ok, the filter isn't supported by chromium. Of course I hope this will be supported by Chromium in the future. In that case only a few lines of code need to be changed in LocalCDN.
Boxxy commented 6 months ago
Poster

Oh, that extension actually works pretty well, though I'd rather not have another extension if I can help it 😅 It also shows errors on nytimes.com even though the site still loads, it would be good if it had an option to only show "ReferenceError" errors since those are what happens when the library can't load.

Oh, that extension actually works pretty well, though I'd rather not have another extension if I can help it 😅 It also shows errors on nytimes.com even though the site still loads, it would be good if it had an option to only show "ReferenceError" errors since those are what happens when the library can't load.
nobody commented 6 months ago
Owner

Oh, that extension actually works pretty well

Yes, but unfortunately you don't know why something could not be loaded. That can have different reasons:

  • adblocker
  • external firewall, which also blocks tracking domains
  • domain cannot be resolved (DNS problems)
  • file name or path is wrong
  • CORS error

The best way is when an extension can detect a CORS error. Then we could handle it and allow or block requests to the original domain. Everything else is unclean and causes more problems than it solves. Unfortunately I don't know of any other extensions besides Decentraleyes and LocalCDN that might need this feature. 🤔

Maybe the priority will be increased if more people vote for it. Currently there are 46 votes.

> Oh, that extension actually works pretty well Yes, but unfortunately you don't know why something could not be loaded. That can have different reasons: * adblocker * external firewall, which also blocks tracking domains * domain cannot be resolved (DNS problems) * file name or path is wrong * CORS error The best way is when an extension can detect a CORS error. Then we could handle it and allow or block requests to the original domain. Everything else is unclean and causes more problems than it solves. Unfortunately I don't know of any other extensions besides Decentraleyes and LocalCDN that might need this feature. 🤔 Maybe the priority will be increased if more people vote for it. [Currently there are 46 votes](https://bugzilla.mozilla.org/show_bug.cgi?id=1419459).
nobody closed this issue 5 months ago
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.