Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GM not working in Firefox 81.0.2 with DuckDuckGo Privacy Essentials extension #607

Closed
brentfraser opened this issue Oct 19, 2020 · 2 comments · Fixed by #608
Closed

GM not working in Firefox 81.0.2 with DuckDuckGo Privacy Essentials extension #607

brentfraser opened this issue Oct 19, 2020 · 2 comments · Fixed by #608

Comments

@brentfraser
Copy link
Contributor

But it works if in FF I turn off the DuckDuckGo Privacy Essentials extension.

Symptom
Using the demo GM stops after it shows the basic HTML and does not show the Catalog entries.

Investigation
After I switch the index.html to use geomoose.js instead of geomoose.min.js, the FF console shows an error in GM's index.js line 94

    for (var i = 0; i < scriptTags.length; i++) {
        var src = scriptTags[i].getAttribute('src');
        if (src.indexOf('geomoose.js') >= 0 || src.indexOf('geomoose.min.js') >= 0) {
            distPath = src.split('/').slice(0, -1).join('/');
        }
    }

The error is at the if(src.indexof because the first of the three scriptTags[] does not have a 'src' attribute so src is null. While the other two scriptTags[] look legit (gemoose.js and config.js), this bit of JavaScript looks odd. It's about 25 lines of things like Object.defineProperty(navigator, "doNotTrack", { value: "unspecified" }); (Thanks, Privacy Essentials extension!)

Fix
Anyways, the fix is to test if src is not null prior to the (src.indexOf test.
@klassenjs
Copy link
Member

Is the DDG extension injecting an anonymous script into the page? That seem like an odd thing to do and a bit of a difficult environment to target/test if the browser is rendering a different page than we coded.

However, adding the null check in the name of defensive programming seems like a good thing to do.

if(src && src.indexof...

@brentfraser
Copy link
Contributor Author

Those were my thoughts too. I think there is a pitched battle between sites trying to harvest info about users and browsers/users trying to prevent it.

And like you say, we need to code to expect the unexpected.

klassenjs added a commit to klassenjs/gm3 that referenced this issue Nov 2, 2020
@klassenjs
Work around for DuckDuckGo Privacy Essentials
db9b3f3 
The DuckDuckGo Privacy Essentials extension for Firefox and Chrome
injects anonymous script elements into the webpage.  This breaks
an assumption in index.js that all script elements have a valid
src attribute.

In the name of defensive coding and playing well with others,
this commit protects access to the src element with a null check.

However, this seems like very sketchy behavior to me on the part of
DDG PE.  It appears identical to a malicious code injection attack.
And I'm really not sure how we are supposed to reliably code for an
environment where the definition of the environment, and even our
own application code, can be changed out from under us at any time.

fixes geomoose#607
@klassenjs klassenjs mentioned this issue Nov 2, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Work around for DuckDuckGo Privacy Essentials klassenjs/gm3
2 participants
@klassenjs @brentfraser