[Bug] Several `navigator.plugins` inconsistencies

[niespodd]

Describe the bug

This is an aggregated bug report for a few inconsistencies that I found in navigator.plugins evasion.

Reference mismatch

Chromium implementation of navigator.plugins array references single PluginData instance (DOMPluginArray::refresh from L103) at both enabledPlugin field, integer and string key of navigator.plugins[] and nested enabledPlugin-s etc.

Code Snippet

// `refMatch` - Headless reports `false` while regular Chrome `true`
const nameMatch = navigator.plugins[0].name === navigator.plugins[0][0].enabledPlugin.name;
const refMatch = navigator.plugins[0][0].enabledPlugin === navigator.plugins[0];

navigator.plugins.refresh is not writable

Code Snippet

// `overrideTest` - Headless reports `false` while regular Chrome `true`
navigator.plugins.refresh = 'test';
const overrideTest = navigator.plugins.refresh === 'test';

item(unsigned long index) overflow

This is related to how V8 handles numerical overflows. This may theoretically have a wider impact than only navigator.plugins but need to be researched.

Code Snippet

// `overflowTest` - Headless reports `false` while regular Chrome `true`
const overflowTest = navigator.plugins.item(4294967296) === navigator.plugins[0];
// this can go on with navigator.plugins.item(4294967297) === navigator.plugins[1]; etc.

<object /> onerror (PDF Viewer)

This is related to how events are fired from the <object />. To demonstrate this one I used a sample PDF file from here: http://www.africau.edu/images/default/sample.pdf

Code Snippet

// ...
await page.goto('http://www.africau.edu/');
const testResult = await page.evaluate(async () => {
        await new Promise(resolve => {
            const obj = document.createElement("object");
            obj.data = "http://www.africau.edu/images/default/sample.pdf"; // A URL with ".pdf" extension. It doesnt have to be a valid PDF document. Anything that's over 0B in size will work.
            obj.onload = function() { resolve(true) }
            obj.onerror = function() { resolve(false) }
            document.body.appendChild(obj);
        })
});
// `testResult` - Headless reports `false` while a regular Chrome `true`

Versions

Most recent.

[berstend]

The object onerror one is super obscure 😄 I wonder what the underlying root cause of this might be.

[NikolaiT]

Awesome Work. Thanks for sharing.

[Dangetsu]

Some updates?

[Dangetsu]

Solve problem by run browser in headful mode in docker
https://stackoverflow.com/questions/51667599/issue-in-executing-puppeteer-in-headful-mode-in-docker

Thanks for advice to @vladtreny

[pagpeter]

these bugs are actively used by cloudflare for bot detection

[leafypout]

This is also being actively used by PerimeterX.

try {
    e.PX10604 = navigator.plugins.item(4294967296) === navigator.plugins[0];
} catch (e) {}

[vladtreny]

levi, happy new year, this plugin is obsolete
how i subscribed here