Code Monkey home page Code Monkey logo

Comments (4)

Synzvato avatar Synzvato commented on May 11, 2024

Thanks for reporting the issue! There are a few things here that keep Decentraleyes from injecting local resources. Namely the, relatively new, crossorigin and integrity script attributes:

<script src="/jquery.min.js" integrity="sha256-ivk7..." crossorigin="anonymous"></script>

Technically it's a duplicate of #16 and thus a known bug. It affects a relatively small amount of websites that enforce an additional set of rules for loading content. This is being looked into and chances are a permanent solution to this problem will be found within the very near future.

Decentraleyes v1.2.0 has experimental support for whitelisting specific domains (that works as long as a request has referrer information). So, installing that new version and adding "report-uri.io" to the whitelist (inside Add-on Manager preferences) should prevent the website from breaking.

from decentraleyes.

rugk avatar rugk commented on May 11, 2024

Well... yeah. Prevent injections is the purpose of Subresource Integrity. 😃

But should not the hashes be equal if the file is exactly the same (as it is supposed to be with this addon)?

from decentraleyes.

Synzvato avatar Synzvato commented on May 11, 2024

But should not the hashes be equal if the file is exactly the same [...].

That's a very good observation! The injected code is, of course, fully identical. Bundled files have been stripped of things like source mapping comments, because the actual mapping files are not bundled to save space. Also, by default, Decentraleyes adds comments to injected files to signal local delivery.

A tool to ensure resource integrity is included in the add-on, and is also used by reviewers at Mozilla to make sure the actual code is unaltered. So that's why regular file fingerprints often don't match.

The reason the other attribute crossorigin causes issues, is because it demands that the responses contain headers that state cross-origin requests are allowed. Decentraleyes currently redirects requests to data URIs. That particular protocol has nothing to do with HTTP, so chaos ensues.

That's the problem in a nutshell. Any ideas or suggestions are highly welcome!

from decentraleyes.

Synzvato avatar Synzvato commented on May 11, 2024

@rugk I have since decided to create a bug (1419459) on Mozilla's bugtracker. Upvotes are welcome.

from decentraleyes.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.