Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes window.ipfs is added after page load #368

Merged
merged 9 commits into from
Feb 7, 2018

Conversation

alanshaw
Copy link
Member

@alanshaw alanshaw commented Feb 1, 2018

fixes #362

also fixes whitelist by default from review feedback

see #362 (comment) for discussion

screen shot 2018-02-01 at 16 44 03

"swarm.peers",
"swarm.addrs",
"swarm.localAddrs"
]
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Too permissive?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a whitelist right? Any other calls will by default be blocked? Think they are all fine, but I do worry about for example MFS being totally open for everyone with access to window.ipfs.

Copy link
Member

@lidel lidel Feb 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we remove all *.ls from whitelist for now. Adding / reading specific hash can be done without explicit permission, but listing internal node states should require explicit confirmation.

"swarm.peers",
"swarm.addrs",
"swarm.localAddrs"
]
Copy link
Member

@lidel lidel Feb 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we remove all *.ls from whitelist for now. Adding / reading specific hash can be done without explicit permission, but listing internal node states should require explicit confirmation.

package.json Outdated
@@ -44,6 +46,7 @@
"babel-preset-es2015": "6.24.1",
"babel-preset-es2017": "6.24.1",
"babelify": "8.0.0",
"brfs": "^1.4.4",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ :))

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry!

@alanshaw alanshaw force-pushed the fix/window.ipfs-added-after-page-load branch from 8c1fded to 4604290 Compare February 2, 2018 09:31
@victorb
Copy link
Member

victorb commented Feb 2, 2018

Tried it out, worked beautifully! Nice to see a IPFS app whose size is only 2.2K 👯

@@ -5003,7 +5343,7 @@ level-js@^2.2.4:
typedarray-to-buffer "~1.0.0"
xtend "~2.1.2"

level-js@timkuijsten/level.js#idbunwrapper:
"level-js@github:timkuijsten/level.js#idbunwrapper":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weird, somehow this changed from being a npm link (I think?) to being a github link, requiring git and therefore breaking the docker image.

Copy link
Member

@lidel lidel Feb 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed it in 1a968ee. More context:

Same thing happened to me after a yarn cache clean (trying to get a git branch dependency to update).

Removing the node_modules folder and running yarn again seemed to work around the issue.
yarnpkg/yarn#2083 (comment)

Closed since this seems to be resolved in recent versions.
yarnpkg/yarn#2083 (comment)

@alanshaw alanshaw changed the title [WIP] Fixes window.ipfs is added after page load Fixes window.ipfs is added after page load Feb 5, 2018
@alanshaw
Copy link
Member Author

alanshaw commented Feb 5, 2018

@lidel good to merge now?

Copy link
Member

@lidel lidel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alanshaw after solving problem with git (1a968ee) now we are blocked by a problem with addon linter (npm run lint):

ERRORS:

Code             Message                       Description                                                                                            File                                        Line   Column
FILE_TOO_LARGE   File is too large to parse.   This file is not binary and is too large to parse. Files larger than 4MB will not be parsed. If your   dist/contentScripts/ipfs-proxy/content.js                
                                               JavaScript file has a large list, consider removing the list and loading it as a separate JSON file                                                             
                                               instead.

and indeed, our content scripts take more space than entire addon 🙃

--- ipfs-companion/add-on/dist ---
    8.0 MiB [##########] /contentScripts
    3.9 MiB [####      ]  ipfs-companion-common.js
    1.2 MiB [#         ] /background
  404.0 KiB [          ] /popup 
  184.0 KiB [          ] /pages
   64.0 KiB [          ] /options
--- ipfs-companion/add-on/dist/contentScripts/ipfs-proxy ---
    4.1 MiB [##########]  content.js
    3.9 MiB [######### ]  page.js
    4.0 KiB [          ]  inject-script.js

@alanshaw
Copy link
Member Author

alanshaw commented Feb 5, 2018

eek, wtf?! I'm guessing that's because we're adding window.Ipfs as well. I think we could get rid of half of that by removing dist/contentScripts/ipfs-proxy/page.js after dist/contentScripts/ipfs-proxy/content.js is generated (page.js is inlined into content.js so isn't actually used). Would that be acceptable or should we remove window.Ipfs altogether?

@lidel
Copy link
Member

lidel commented Feb 5, 2018

I am afraid removing page.js is not enough: content.js itself is >4MiB.
We need to remove window.Ipfs for now, or find a way to go under linter limit somehow.

@alanshaw
Copy link
Member Author

alanshaw commented Feb 5, 2018

I can bring content.js down to 2MB if I uglifyify page.js (this includes window.Ipfs) - is that cool?

@lidel
Copy link
Member

lidel commented Feb 5, 2018

Yes, we can minimize the output as long we have reproducible builds (#306).

@alanshaw
Copy link
Member Author

alanshaw commented Feb 7, 2018

@lidel what did you do to fix the yarn issue?

@lidel
Copy link
Member

lidel commented Feb 7, 2018

@alanshaw removing the node_modules folder and running yarn again seemed to work around the issue (I did it on a linux box, if that matters. idea from: yarnpkg/yarn#2083 (comment))

@alanshaw
Copy link
Member Author

alanshaw commented Feb 7, 2018

🙄 that's what I did...

@lidel
Copy link
Member

lidel commented Feb 7, 2018

Did you run via npm run yarn-build to guarantee correct yarn is used?
Perhaps you have an older version installed globally. 🤔

@alanshaw
Copy link
Member Author

alanshaw commented Feb 7, 2018

I did yes. I'm not sure how we can avoid this when our dependencies have github dependencies e.g.

https://github.com/libp2p/js-libp2p-crypto/blob/71339e08e75f6c92485e22a95caf96164cbb1cad/package.json#L45

@alanshaw
Copy link
Member Author

alanshaw commented Feb 7, 2018

@lidel I'm not sure your commit in 1a968ee fixed the build - I still see lots of github: dependencies in that file.

@lidel
Copy link
Member

lidel commented Feb 7, 2018

@alanshaw I've just added git to the image for now and it fixed the build.
(CI is being reworked in #372, but i did not want to port that PR here, just fixed alpine image so I can merge this PR)

@lidel lidel merged commit 6891f74 into ipfs:master Feb 7, 2018
lidel added a commit that referenced this pull request Jun 8, 2018
This change enables Firefox users to disable creation of window.ipfs,
solving fingerprinting issue raised in:
#451

The key difference between tabs.executeScript and contentScripts API
is that the latter provides guarantee to execute before anything else.

Chrome does not provide contentScripts API and we need to statically
load content_script via  manifest.

More info on the underlying issue:
#368
#362 (comment)
lidel added a commit that referenced this pull request Jun 13, 2018
This change enables Firefox users to disable creation of window.ipfs,
solving fingerprinting issue raised in:
#451

The key difference between tabs.executeScript and contentScripts API
is that the latter provides guarantee to execute before anything else.

Chrome does not provide contentScripts API and we need to statically
load content_script via  manifest.

More info on the underlying issue:
#368
#362 (comment)
@alanshaw alanshaw deleted the fix/window.ipfs-added-after-page-load branch June 13, 2018 19:42
lidel added a commit that referenced this pull request Jun 14, 2018
This change enables Firefox users to disable creation of window.ipfs,
solving fingerprinting issue raised in:
#451

The key difference between tabs.executeScript and contentScripts API
is that the latter provides guarantee to execute before anything else.

Chrome does not provide contentScripts API and we need to statically
load content_script via  manifest.

More info on the underlying issue:
#368
#362 (comment)
lidel added a commit that referenced this pull request Jun 15, 2018
This PR enables Firefox users to disable creation of `window.ipfs` attribute via _Preferences_ screen, solving fingerprinting issue raised in #451.

It requires webpack, so should be merged after #498 

### Background

Existing `tabs.executeScript` API with `runAt: 'document_start'` flag was executing too late and page scripts were  unable to detect `window.ipfs` correctly.  More info on the underlying issue: #368 #362 (comment)

As a workaround that worked in both Chrome and Firefox, we were forced to always load content script via manifest definition. This meant no control over when it is loaded and no easy off switch. If `window.ipfs` was disabled via _Preferences_, it was throwing an Error on access, but remained in the scope.

Mozilla added [`contentScripts`](https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/contentScripts/register) API in Firefox 59. The key difference between `tabs.executeScript` and `contentScripts` API is that the latter provides guarantee to execute before anything else on the page, passing [our synchronous smoke test](https://ipfs-shipyard.github.io/ipfs-companion/docs/examples/window.ipfs-fallback.html). 

### Known Issues

Chrome does not provide `contentScripts` API so it will continue to statically load `content_script` via  manifest.  Hopefully with time, other browser vendors will adopt the new API.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

window.ipfs injected after page loaded
3 participants