CanvasBlocker icon indicating copy to clipboard operation
CanvasBlocker copied to clipboard

Published 20 hours ago verified publisher icon kkapsner

Breaks https://itty.bitty.site even when "disabled" from extension popup

Open chrstfer opened this issue 2 years ago • 1 comments

Description

This neat little site I discovered from you when reading issue #208 doesn't render properly even if the extension panel toggle is set to turn off protection. Disabling the extension fixes the issue.

Expected Behaviour

Site is blocked initially, but then functions once the panel on-off is toggled to off and the page refreshed.

Current Behaviour

Pages remain blocked with "Content Security Policy: The page’s settings blocked the loading of a resource at data:text/html;charset=utf-8;base64,PG1l… (“frame-src”)." even if toggle is set to disabled and the page is refreshed.

Steps to Reproduce (for bugs)

  1. create a fresh Firefox profile, including ublock origin
  2. Navigate to a saved https://itty.bitty.site site (this one says "test" https://itty.bitty.site/#/?eJyzKbArSS0usdEvsLMBoqQiOxATAFS6BxU=) a. Creating a new site works, but once created if you refresh it will break
  3. Install extension, applying the "Convenient Settings" and "reCAPTCHA exception" presets.
  4. In a new tab navigate to a saved https://itty.bitty.site site again. a. Note in the console that the first line is a warning says something like [CanvasBlocker] invalid content script order: require not defined at https://itty.bitty.site/#/?eJyzKbCzttEvsAMACi4CPw= and there is a CSP error.
  5. Open the extension popup panel and click the blue fingerprint, turning it red, then click the refresh page button (or strike F5, or any other refresh type including Ctrl+F5, none work). a. Note the console no longer has the [CanvasBlocker] warning but the CSP error remains.

Context

Just noticed the issue, figured I'd report it. Thanks for CB, but also for introducing me to the itty.bitty.site tool.

Your Environment

  • CanvasBlocker Version used: 1.9
  • Firefox version incl. 32- or 64-bit: 114.0.2 (64-bit) and 115.0b9 (64-bit)
  • Operating System and version (desktop or mobile): desktop
  • Installed addons: none in the above instructions, but ublock origin, ghostery, privacy badger, etc

Your Settings

Default with convenient and recaptcha exception presets applied from welcome page.

chrstfer avatar Jun 30 '23 03:06 chrstfer

There are two problems... one I can solve and the only one only partially.

When whitelisting the domain the protection of the data-URL is not white listed. I will change that.

The other problem is that this CSP headers are cached and only reset if you do a reload without the cache. (Ctrl + Shift + R) The refresh button in the addon popup can be modified to bypass the cache. But F5 and the normal button cannot...

kkapsner avatar Aug 16 '23 23:08 kkapsner