-
Notifications
You must be signed in to change notification settings - Fork 108
Breaks report-uri analyse tools #17
Comments
Thanks for reporting the issue! There are a few things here that keep Decentraleyes from injecting local resources. Namely the, relatively new, <script src="/jquery.min.js" integrity="sha256-ivk7..." crossorigin="anonymous"></script> Technically it's a duplicate of #16 and thus a known bug. It affects a relatively small amount of websites that enforce an additional set of rules for loading content. This is being looked into and chances are a permanent solution to this problem will be found within the very near future. Decentraleyes v1.2.0 has experimental support for whitelisting specific domains (that works as long as a request has referrer information). So, installing that new version and adding "report-uri.io" to the whitelist (inside Add-on Manager preferences) should prevent the website from breaking. |
Well... yeah. Prevent injections is the purpose of Subresource Integrity. 😃 But should not the hashes be equal if the file is exactly the same (as it is supposed to be with this addon)? |
That's a very good observation! The injected code is, of course, fully identical. Bundled files have been stripped of things like source mapping comments, because the actual mapping files are not bundled to save space. Also, by default, Decentraleyes adds comments to injected files to signal local delivery. A tool to ensure resource integrity is included in the add-on, and is also used by reviewers at Mozilla to make sure the actual code is unaltered. So that's why regular file fingerprints often don't match. The reason the other attribute That's the problem in a nutshell. Any ideas or suggestions are highly welcome! |
With this addon these tools are broken as they will always redirect to the home page:
More information: https://twitter.com/rugkme/status/675972938110210048
CC: @ScottHelme
The text was updated successfully, but these errors were encountered: