-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecurityError in barclaycardus.com #461
Comments
Can reproduce in FF 61.0.1 / Stylus 1.4.13. |
All those errors are for the page scripts, not for our scripts. Stylus doesn't touch page scripts, doesn't use Modernizr, doesn't add/modify any page variables. Stylus only adds the style elements in the page DOM. Personally I'm tired of FF-only bugs/quirks so I won't be investigating this. |
Exactly. That's why I'm very surprised when I isolated Stylus even with a Firefox 61 clean profile. BTW, the sign in window is a frame with URL https://www.barclaycardus.com/servicing/authenticate/home?rnd=<random_number>. Some Firefox specific cross-domain security policy may contribute. |
Er, will keep this one open instead. |
Turns out this site doesn't like there's a |
Thanks for the quick fix. Just curious, why is Chrome not affected? |
I didn't investigate it. Maybe the site has different code for Chrome and there's a bug in the site code for FF. Or maybe there's a bug in FF that is triggered by the site code when it unexpectedly encounters our style element. |
Mozilla finally approved the new version. I tried the 1.4.20 version from AMO. The homepage of Barclay US is indeed fixed. However, there are other pages in Barclay that still have the same "SecurityError", for instance https://www.barclaycardus.com/servicing/home?secureLogin= . Worse, when I login my account, the page is empty with "SecurityError". The common factors of these two are
I'm not sure if Modernizr itself is incompatible with Stylus, or it is the Barclay's way of using Modernizr. The former should be relatively easy to check. BTW, xStyle and Chrome Stylus work in both pages. |
I've tried a couple of things but none worked ultimately. It still looks like a bug in FF to me which is triggered by our style order protection, implemented only in Stylus. Possible solutions:
|
Option 3 looks like the easiest temporary fix. But Modernizr is relatively popular. Other websites might use it. Option 2 also looks like a clutch solution, as other Javascript libraries might do what Modernizr does. There is never an end. I'm not familiar with this style order protection feature. Does it allow styles to be injected in specific order? If so, I do not see any reorder button in the extension to take advantage of it. In my opinion, if it is not a critical function, disabling it by default (for maximum compatibility) and provide option to enable it for whoever brave, basically option 4, seems the best way out. But you guys decide. |
Option 5, add all the page styles into one big style tag. We might have to do this anyway if/when we switch to using |
Style order preservation ensures our styles are inserted in the order of their internal id and that they always follow
In the future we might use contentScripts.register in FF or declartiveContent when it's implemented, both could be better than insertCSS. |
Same issue seems to stop OS: Windows x64 |
Traced the error on barclaycardus.com to an ancient buggy Modernizr build they're still using sourced from https://gist.github.com/srobbin/2773397 Firefox 59 (the bisect from above) decided to hide the contents of style elements added by an extension (thus violating DOM specification I believe but who am I anyway) and the buggy site script fails to access the last styleSheet element as it's now the one added by Stylus. I didn't investigate icloud.com as I don't have an account, but it's likely they make the same assumptions about accessibility of styleSheets. The current version of Modernizr wraps the styleSheet access code into try/catch so the majority of popular sites shouldn't be affected. Back to possible solutions. I don't like exposing such a low-level option in UI as only two sites were reported so far, one confirmed to be using an ancient buggy library (kinda their fault).
|
Tried the test version, the issue persists. (I disabled the current version before adding the test version temporally.)
It's a minified script so this won't help much I think. On more note about how icloud.com loads: I pasted the given error text to pastebin: https://pastebin.com/hi1dZuQp |
Yep, that error indicates icloud fails due to the same reason while accessing document.styleSheets. |
This workaround works as expected! Thanks! |
Please add
to workaround the same problem on older routers like the FRITZ!Box 7170. Those routers by manufacturer AVM are very popular in germany with a market share of about 50%. |
The numeric addresses are all from a private range so they can point to anything on a given computer, hence we can't hardcode it. I'll test the performance and maybe just enable the workaround by default in Firefox. |
Could they add that to there host file? |
@tophf Sorry for a late comment. Thanks for the fix. Since you have most knowledge here, could you open a bug to Mozilla to fix the behavior in Firefox? Ideally we should not need Firefox specific workaround in the code. |
Firefox Nightly 2018-08-05
Windows 10 64-bit
Steps to reproduce:
and
Version
It appears this bug only exhibits in Firefox Stylus 1.4.13. In Chrome Stylus 1.4.17 there is no problem.
Other information
The text was updated successfully, but these errors were encountered: