autoconsent icon indicating copy to clipboard operation
autoconsent copied to clipboard

Published 20 hours ago verified publisher icon duckduckgo

Use privileged APIs for simulating user interaction

Open eligrey opened this issue 2 years ago • 3 comments

This tool relies on unprivileged web content APIs instead of using the proper privileged APIs available to extensions (with debugger permissions) & Chrome DevTools Protocol sessions.

Some consent managers are implemented with security protections that require genuine user interactions that cannot be spoofed by web content APIs.

Additionally, site owners can sabotage this tool by backdooring or breaking the web APIs that it relies on.

eligrey avatar Sep 17 '22 09:09 eligrey

I feel like my suggestion is probably throwing too much shade on this repo. I don't mean to downplay what you've accomplished here, and I completely understand if you want to decline/cancel/deprioritize this issue.

If you are interested in experimenting with privileged APIs, here's an example of a privileged API that can spoof genuine user clicks: https://stackoverflow.com/questions/34853588/how-to-trigger-an-istrusted-true-click-event-using-javascript/53488689#53488689

While there is some overlap in Chrome, Firefox, and Safari's debugger protocols, admittedly it would require a lot of browser-specific work. Google made a Chrome DevTools Protocol->Safari debugger translation layer though it might not be useful unless Safari offers a way for extensions to request debugger permissions. I am aware of similar limitations in Firefox, though iirc better CDP compatibility is still part of their roadmap.

eligrey avatar Sep 18 '22 16:09 eligrey

Thanks for filing this. Are you aware of any CMPs that require trusted clicks? As far as I know, we didn't find any yet during testing. We are aware of this limitation, but unfortunately, as this solution is deployed in multiple different environments, we can't do trust clicks in most of them with the currently available APIs.

Additionally, site owners can sabotage this tool by backdooring or breaking the web APIs that it relies on.

The library runs in an isolated world, when available, so this should not be possible except for 'eval' rules (which run in page context).

sammacbeth avatar Oct 31 '22 10:10 sammacbeth

Are you aware of any CMPs that require trusted clicks?

Transcend Consent requires it:

Also, I was primarily referring to your eval() rules with my security critique.

eligrey avatar Oct 31 '22 17:10 eligrey