yoroi-frontend icon indicating copy to clipboard operation
yoroi-frontend copied to clipboard

Published 20 hours ago verified publisher icon Emurgo

Ledger Nano S & Firefox 85: DOMException DataCloneError in postMessage of ledgerConnect.showAddress()

Open LeoniePhiline opened this issue 4 years ago • 7 comments

In Firefox 85.0 on OpenSUSE Tumbleweed, the following fails:

this.ledgerConnect && await this.ledgerConnect.showAddress({
  params: {
    address: a,
    ...l
  },
  serial: s
})

This happens when trying to verify an address with Ledger Nano S.

Log output:

HWVerifyAddressStore::_verifyAddress called yoroi_01e7b97c.chunk.js:formatted:53
[YLCH] Opening: https://emurgo.github.io/yoroi-extension-ledger-connect/#/v2/ vendors_yoroi_253ae210.chunk.js:formatted:8418
HWVerifyAddressStore::ledgerVerifyAddress show path [XXXXXXXXXX,XXXXXXXXXX,XXXXXXXXXX,X,X] yoroi_01e7b97c.chunk.js:formatted:53
[YLCH] _sendMessage::webauthn::ledger-show-address vendors_yoroi_253ae210.chunk.js:formatted:8433
Uncaught (in promise) DOMException: The object could not be cloned. vendors_yoroi_253ae210.chunk.js:6
LedgerLocalizedError::convertToLocalizableError::error: {} yoroi_01e7b97c.chunk.js:formatted:57
[YLCH] Made Yoroi Extension active vendors_yoroi_253ae210.chunk.js:formatted:8453
[YLCH] closed target Website vendors_yoroi_253ae210.chunk.js:formatted:8454
[YLCH] disconnected extension port vendors_yoroi_253ae210.chunk.js:formatted:8455
HWVerifyAddressStore::ledgerVerifyAddress finalized

Numbers in ledgerVerifyAddress redacted because I am unsure if they might be cryptographically significant.

DOMException detail:

e: DOMException
code: 25
columnNumber: 0
data: null
filename: "moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_253ae210.chunk.js"
lineNumber: 6
message: "The object could not be cloned."
name: "DataCloneError"
result: 2152923161
stack: "s/this._sendMessage@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_253ae210.chunk.js:6:169433\ns/this.showAddress/<@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_253ae210.chunk.js:6:167134\ns/this.showAddress@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_253ae210.chunk.js:6:167109\nYi/<@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/yoroi_01e7b97c.chunk.js:1:1794857\nasync*initializer/<@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/yoroi_01e7b97c.chunk.js:1:1796472\nwe@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:15:6883\nr@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:15:6779\ntrigger@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/yoroi_d2c39deb.chunk.js:1:7301\ne@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_7d359b94.chunk.js:167:33202\nverify@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/yoroi_224618e0.chunk.js:1:47924\ns@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:458\nh@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:601\n_/<@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:747\n_@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:833\not@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:16339\nat@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:16171\nst@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:16529\nht@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:17736\nI@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:114525\nz@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:2156\nZt@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:23693\nXt@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:22911\nt.unstable_runWithPriority@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:335:3844\nBa@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:45024\nC@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:114302\nJt@moz-extension://c41cc4c7-0c02-4957-9fa9-09e5d08011f0/js/vendors_yoroi_9c5b28f6.chunk.js:327:22726\n"

The same procedure works in Chromium 88.0.4324.96 and it has worked in Firefox before (I am unsure if in the same Firefox version).

Is this a bug in https://github.com/Emurgo/yoroi-extension-ledger-connect-handler/ or https://github.com/Emurgo/yoroi-frontend/ ? The message to be posted to the freshly opened window seems to be inadequately prepared.

LeoniePhiline avatar Feb 04 '21 01:02 LeoniePhiline

Probably we won't be able to fix this because Ledger has dropped support for Firefox for the foreseeable future. The proper fix will be disabling Ledger entirely on Firefox builds.

SebastienGllmt avatar Feb 04 '21 03:02 SebastienGllmt

Hi Sebastien, thank you for your response Isn't '@emurgo/ledger-connect-handler' an emurgo package? The DataCloneError seems to occur while posting the message to the other tab. Or is it triggered while receiving the response? Can I read more about Ledger dropping Firefox support somewhere? This would be a ridiculous step on their side.

LeoniePhiline avatar Feb 04 '21 03:02 LeoniePhiline

@LeoniePhiline https://github.com/LedgerHQ/ledgerjs/blob/master/docs/migrate_webusb.md#what-about-firefox-then

Deprecation for Firefox has been coming for a long time because there is just no good way to connect hardware wallets to Firefox

SebastienGllmt avatar Feb 04 '21 04:02 SebastienGllmt

@SebastienGllmt I see. Thank you for finding the URL for me! :)

How about building and publishing Yoroi as electron app, like the ledger live wallet app?

It probably anyway scares lots of potential Cardano users away when they find out the wallet is implemented as a browser extension. I myself have been on the fence for quite a while. If I had no hardware wallet keeping my keys, I'd probably never be willing to run my wallet as a browser extension.

I think publishing the app packaged as an actual tangible app can help Cardano adoption drastically. To a new user, https://addons.mozilla.org/en/firefox/addon/yoroi/ does not seem like a legit source for a place to manage (or as many starters would think: store) your cryptocash.

LeoniePhiline avatar Feb 04 '21 19:02 LeoniePhiline

Electron apps are significantly less safe than browser extensions. We've thought about publishing an Electron app in the past despite this, but I've always been hopeful we can eventually release a PWA instead which would keep the security and not require us to deal with a large overhead managing an Electron app would entail.

SebastienGllmt avatar Feb 05 '21 11:02 SebastienGllmt

I'm familiar with PWAs but have not built an Electron app yet. How are Electron apps less secure than browser extensions?

LeoniePhiline avatar Feb 06 '21 18:02 LeoniePhiline

FWIW @SebastienGllmt, adalite.io seems to work pretty well with Ledger Nano devices and even Trezor bridge. Maybe Yoroi is doing something different?

goetzc avatar Oct 22 '21 17:10 goetzc