browser-extension icon indicating copy to clipboard operation
browser-extension copied to clipboard

Published 20 hours ago verified publisher icon hypothesis

Firefox Bookmarklet not working on LA-Times website

Open shivams opened this issue 5 years ago • 2 comments

The Firefox bookmarklet is not working on some pages of Los Angeles Times (e.g. this article page). There may be more websites where it would not be working. The Chrome extension however works fine on the website.

I am using Firefox 69.0.1. I have adblocker, but disabling it doesn't change anything.

shivams avatar Oct 08 '19 10:10 shivams

Thank-you for the report. The most common reason this happens is due to a browser security feature called Content Security Policy, which is an inherent limitation of bookmarklets. However it looks like that is not what is happening here. The usual workaround is to use https://via.hypothes.is/, but that doesn't work either.

Some quick notes from an initial investigation:

Something on the site is doing funky stuff with scripts. This is me running the bookmarklet's logic in the browser console line by line:

Screenshot 2019-10-08 13 04 36

The reason this doesn't affect the browser extension is because it executes its code in an isolated JavaScript context which isn't affected by whatever monkey-patching of DOM APIs the browser does.

Inspecting the HTMLScriptElement created here, it looks normal except for a private __src property. Looking through the various JavaScript files that the site loads, there are some suspicious-looking references to that name in https://nexus.ensighten.com/caltimes/latimes/Bootstrap.js. Looking at https://www.ensighten.com, it appears to be a suite of products designed to prevent unauthorized code execution on websites.

It looks like it monkey-patches basic DOM APIs including:

  • document.createElement
  • HTMLElement.prototype.appendChild
  • ... and many others

It looks like most URL setters get routed through code which filters URLs and replaces them with dummy values.

While I'm sure we could figure out a way to work around the current iteration of this, they (Ensighten) are used to dealing with malicious actors and have more resources to spend on cat-and-mouse than we do. A more long-lasting workaround is likely to be preventing their code from running in the first place:

  • Get the browser extension working on Firefox, as browser extensions are naturally protected from other JS on the page
  • @shivams if you configure your adblocker to block scripts from https://nexus.ensighten.com that may solve the problem
  • We could block https://nexus.ensighten.com in Via. I'm sure Ensighten could work around that if they wanted to, but it involves changes for their customers and is probably going to be more effort than it is worth for them and the site.

robertknight avatar Oct 08 '19 12:10 robertknight

Thank you @robertknight for such a prompt response! Blocking https://nexus.ensighten.com/ does indeed work :+1:

I am eagerly awaiting the Firefox browser extension.

shivams avatar Oct 09 '19 05:10 shivams