[PM-5744] Adjust Fido2 Content Script Injection to Meet mv3 Requirements #8222
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ppend in Manifest v3
…-to-supress-download-without-dom-append
…mv2 side script for `lp-suppress-import-download.mv2.ts` if building the extension for mv3
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…f the Fileless Importer CSV download supression script
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
…-to-supress-download-without-dom-append
cagonzalezcs
dismissed stale reviews from Jingo88, audreyality, coroiu, and jprusik
via
229948d
audreyality
approved these changes
Apr 17, 2024
Jingo88
approved these changes
Apr 17, 2024
jprusik
approved these changes
Apr 17, 2024
coroiu
approved these changes
Apr 18, 2024
cagonzalezcs
deleted the
autofill/pm-5744-adjust-fido2-page-script-injection-for-mv3
branch
MGibson1
pushed a commit
that referenced
this pull request
Apr 22, 2024
…nts (#8222) * [PM-5876] Adjust LP Fileless Importer to Suppress Download with DOM Append in Manifest v3 * [PM-5876] Incorporating jest tests for affected logic * [PM-5876] Fixing jest test that leverages rxjs * [PM-5876] Updating documentation within BrowserApi.executeScriptInTab * [PM-5876] Implementing jest tests for the new LP suppress download content scripts * [PM-5876] Adding a change to webpack to ensure we do not package the mv2 side script for `lp-suppress-import-download.mv2.ts` if building the extension for mv3 * [PM-5876] Implementing changes based on feedback during code review * [PM-5876] Implementing changes based on feedback during code review * [PM-5876] Implementing changes based on feedback during code review * [PM-5876] Implementing changes based on feedback during code review * [PM-5876] Implementing a configuration to feed the script injection of the Fileless Importer CSV download supression script * [PM-5744] Adjust injection of `page-script.ts` within FIDO 2 implementation to ensure mv3 compatibility * [PM-5744] Adjusting structure of manifest.json to clean up implementation and ensure consistency between mv2 and mv3 * [PM-5744] Reverting inclusion of the ConsoleLogService * [PM-4791] Injected content scripts prevent proper XML file display and disrupt XML responses * [PM-5744] Adjust FIDO2 content script injection methodology to be compatible with manifest v3 * [PM-5744] Adjusting references to Fido2Service to mirror change of name to Fido2Background * [PM-5744] Migrating runtime background messages that are associated with Fido2 into Fido2Background * [PM-5744] Fixing named reference within Fido2Background * [PM-5744] Migrating all Fido2 messages from the runtime.background.ts script to the fido2.background.ts script * [PM-5744] Removing unnecessary dependency from runtime background * [PM-5744] Removing unnecessary dependency from runtime background * [PM-5744] Reworking how we handle init of Fido2Background * [PM-5744] Reworking page-script.ts to ensure that it can destory its global values on unload * [PM-5744] Reworking page-script.ts to ensure that it can destory its global values on unload * [PM-5744] Implementing separated injection methodology between manifest v2 and v3 * [PM-4791] Adjsuting reference for Fido2 script injection to ensure it only triggers on https protocol types * [PM-5744] Removing unnecessary message and handling reload of content scripts based on updates on observable * [PM-5744] Refactoring content-script implementation for fido2 * [PM-5744] Refactoring content-script implementation for fido2 * [PM-5744] Reworking implementation to avoid having multiple contenType checks within the FIDO2 content scripts * [PM-5744] Re-implementing the messageWithResponse within runtime.background.ts * [PM-5744] Reverting change to autofill.service.ts * [PM-5744] Removing return value from runtime.background.ts process message call * [PM-5744] Reworking how we handle injection of the fido2 page and content script elements * [PM-5744] Adjusting how we override the navigator.credentials request/reponse structure * [PM-5744] Working through jest tests for the fido2Background implementation * [PM-5744] Finalizing jest tests for the Fido2Background implementation * [PM-5744] Stubbing out jest tests for content-script and page-script * [PM-5744] Implementing a methodology that allows us to dynamically set and unset content scripts * [PM-5744] Applying cleanup to page-script.ts to lighten the footprint of the script * [PM-5744] Further simplifying page-script implementation * [PM-5744] Reworking Fido2Utils to remove references to the base Utils methods to allow the page-script.ts file to render at a lower file size * [PM-5744] Reworking Fido2Utils to remove references to the base Utils methods to allow the page-script.ts file to render at a lower file size * [PM-5744] Implementing the `RegisterContentScriptPolyfill` as a separately compiled file as opposed to an import * [PM-5744] Implementing methodology to ensure that the RegisterContentScript polyfill is not built in cases where it is not needed * [PM-5744] Implementing methodology to ensure that the RegisterContentScript polyfill is not built in cases where it is not needed * [PM-5744] Reverting package-lock.json * [PM-5744] Implementing a methodology to ensure we can instantiate the RegisterContentScript polyfill in a siloed manner * [PM-5744] Migrating chrome extension api calls to the BrowserApi class * [PM-5744] Implementing typing information within the RegisterContentScriptsPolyfill * [PM-5744] Removing any eslint-disable references within the RegisterContentScriptsPolyfill * [PM-5744] Refactoring polyfill implementation * [PM-5744] Refactoring polyfill implementation * [PM-5744] Fixing an issue where Safari was not resolving the await chrome proxy * [PM-5744] Fixing jest tests for the page-script append method * [PM-5744] Fixing an issue found where collection of page details can trigger a context invalidated message when the extension is refreshed * [PM-5744] Implementing jest tests for the added BrowserApi methods * [PM-5744] Refactoring Fido2Background implementation * [PM-5744] Refactoring Fido2Background implementation * [PM-5744] Adding enums to the implementation for the Fido2 Content Scripts and working through jest tests for the BrowserApi and Fido2Background classes * [PM-5744] Adding comments to the FIDO2 content-script.ts file * [PM-5744] Adding jest tests for the Fido2 content-script.ts * [PM-5744] Adding jest tests for the Fido2 content-script.ts * [PM-5744] Adding jest tests for the Fido2 page-script.ts * [PM-5744] Working through an attempt to jest test the page-script.ts file * [PM-5744] Finalizing jest tests for the page-script.ts implementation * [PM-5744] Applying stricter type information for the passed params within fido2-testing-utils.ts * [PM-5744] Adjusting documentation * [PM-5744] Adjusting implementation of jest tests to use mock proxies * [PM-5744] Adjusting jest tests to simply implementation * [PM-5744] Adjust jest tests based on code review feedback * [PM-5744] Adjust jest tests based on code review feedback * [PM-5744] Adjust jest tests based on code review feedback * [PM-5744] Adjusting jest tests to based on feedback * [PM-5744] Adjusting jest tests to based on feedback * [PM-5744] Adjusting jest tests to based on feedback * [PM-5744] Adjusting conditional within page-script.ts * [PM-5744] Removing unnecessary global reference to the messager * [PM-5744] Updating jest tests * [PM-5744] Updating jest tests * [PM-5744] Updating jest tests * [PM-5744] Updating jest tests * [PM-5744] Updating how we export the Fido2Background class * [PM-5744] Adding duplciate jest tests to fido2-utils.ts to ensure we maintain functionality for utils methods pulled from platform utils * [PM-5189] Addressing code review feedback * [PM-5744] Applying code review feedback, reworking obserable subscription within fido2 background * [PM-5744] Reworking jest tests to avoid mocking `firstValueFrom` * [PM-5744] Reworking jest tests to avoid usage of private methods * [PM-5744] Reworking jest tests to avoid usage of private methods * [PM-5744] Implementing jest tests for the ScriptInjectorService and updating references within the Browser Extension to use the new service * [PM-5744] Converting ScriptInjectorService to a dependnecy instead of a static class * [PM-5744] Reworking typing for the ScriptInjectorService * [PM-5744] Adjusting implementation based on feedback provided during code review * [PM-5744] Adjusting implementation based on feedback provided during code review * [PM-5744] Adjusting implementation based on feedback provided during code review * [PM-5744] Adjusting implementation based on feedback provided during code review * [PM-5744] Adjusting how the ScriptInjectorService accepts the config to simplify the data structure * [PM-5744] Updating jest tests to cover edge cases within ScriptInjectorService * [PM-5744] Updating jest tests to reference the ScriptInjectorService directly rather than the underlying ExecuteScript api call * [PM-5744] Updating jest tests to reflect provided feedback during code review * [PM-5744] Updating jest tests to reflect provided feedback during code review * [PM-5744] Updating documentation based on code review feedback * [PM-5744] Updating how we extend the abstract ScriptInjectorService * [PM-5744] Updating reference to the frame property on the ScriptInjectionConfig
lorenz
added a commit
to lorenz/clients
that referenced
this pull request
Oct 29, 2024
The original implementation of bufferSourceToUint8Array was incorrect as it did not consider that TypedArray instances represent a view of the underlying ArrayBuffer which does not necessarily cover the entire backing ArrayBuffer. This resulted in the output of this function containing data which would not be logically contained in the input. This was partially fixed by bitwarden#8787 for the common case of the input already being an Uint8Array, but it was still broken for any other TypedArrays. But bitwarden#8222 introduced another copy of the original broken code, breaking the Uint8Array case again. Fix this once and hopefully for the last time with a correct implementation of bufferSourceToUint8Array and using that in the appropriate places instead of open-coding it. In addition there are now tests which exercise most edge cases with regards to ArrayBuffer and TypedArrays.
lorenz
added a commit
to lorenz/clients
that referenced
this pull request
Oct 29, 2024
The original implementation of bufferSourceToUint8Array was incorrect as it did not consider that TypedArray instances represent a view of the underlying ArrayBuffer which does not necessarily cover the entire backing ArrayBuffer. This resulted in the output of this function containing data which would not be logically contained in the input. This was partially fixed by bitwarden#8787 for the common case of the input already being an Uint8Array, but it was still broken for any other TypedArrays. But bitwarden#8222 introduced another copy of the original broken code, breaking the Uint8Array case again. Fix this once and hopefully for the last time with a correct implementation of bufferSourceToUint8Array and using that in the appropriate places instead of open-coding it. In addition there are now tests which exercise most edge cases with regards to ArrayBuffer and TypedArrays.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Objective
The changes in this PR ensure that we can inject the FIDO2 content scripts used for the Passkeys feature in a manner than is allowed within manifest v3. It also addresses a couple of side concerns that ensure we inject our content scripts for this feature in a manner that is respectful of user settings while ensuring we can inject them ASAP.
With these changes, we are introducing a polyfill that facilitates the
browser.contentScripts.registermethod within browsers that do not support this feature (Chrome and Safari). This allows us to dynamically register content scripts such that we can handle injecting the FIDO2 content scripts without any delay, allowing us to more effectively introduce the WebAuthn overrides to facilitate Bitwarden passkeys behavior. With this added polyfill, we can also disable the content scripts entirely for users who do not wish to use the feature. This ensures that we do not inject these scripts at all if the user does not want them injected into a tab.Another improvement introduced by this PR is the lightening of the
page-script.jsfile that gets injected to facilitate Passkeys behavior. We've reworked the imports used in this script to have the script go from ~650kb to ~35kb after compilation.Finally, we've implemented a fix that ensures we dynamically inject or disable the FIDO2 content scripts after a user has set/unset the setting for passkeys. This ensures that users do not need to reload their browser in order to use the feature after the setting has been turned on. It also disables the feature in all existing browser tabs if the user has turned the feature off.
Code changes
I'm going to reference files that directly affect the implementation, anything not referenced either represents testing files, abstractions, or other small changes that do not affect the implementation in a significant manner.
Extension context invalidatederror due to a delayed capture of autofill page content if the user reloads the extensionFido2Serviceclass such that the referenced the newFido2Backgroundclass used to handle background interactions for Fido2 behavior.RuntimeBackgroundto bring all Fido2 related messages to theFido2Background. This will centralize expected logic triggered by the message withinFido2Background.trigger-fido2-content-script-inject.jsstatic content script in favor of the dynamic registration approach we now use. Also adding thewebNavigationpermission to facilitate dynamic registration of these scripts in all frames.trigger-fido2-content-script-inject.jsstatic content script in favor of the dynamic registration approach we now use. Also adding thewebNavigationpermission to facilitate dynamic registration of these scripts in all frames.chrome.scriptingAPI, thebrowser.contentScriptsAPI, or the content script polyfill depending on what is available to use in the browser scope.Fido2Serviceclass that now facilitates injection of the Fido2 content scripts and updating behavior related to Fido2 script injection. This class now handles all Fido2 related extension messages, and triggers behavior as necessary based on those messages.page-script.jsinjection in mv2.page-script.jsto the DOM.isFido2FeatureEnabledto ensure we disqualify usage of the feature as soon as possible.page-script.ts