foxygestures icon indicating copy to clipboard operation
foxygestures copied to clipboard

Published 20 hours ago verified publisher icon marklieberman

Some websites with bad postMessage handlers experience problems when FG is enabled

Open tobz-nz opened this issue 5 years ago • 3 comments

This extension causes an error on https://developer.xero.com/myapps/ which prevents the redirect to login. Have to disable it to use the Xero apps page.

tobz-nz avatar Jan 14 '20 02:01 tobz-nz

The reason why FG is causing errors on various sites is because those sites are not properly checking their postMessage message syntax when they rely on it for communication with nested frames. FG lives in each frame and has to share the postMessage communication channel with the scripts on the site, and those onsite scripts are getting confused by FG messages. Specifically, the issue is that each time a nested frame loads, FG would postMessage to the top-level frame that a new nested frame has appeared. This happens very early in the content script and was not disabled by the blacklist.

Unfortunately, I am not able to re-write FG to avoid the use of postMessage at this time or possibly ever. However, I have fixed the blacklist in a2176b9d068f55571318f238325c9b7951be3d4c such that the initial problematic frame loaded message is no longer sent when blacklisted. This means that developer.xero.com and spiegel.de are now working as expected when FG is blacklisted on those domains. This at least avoids the need to manually disable the addon in about:addons. I have not tested any of the other domains that require a login to trigger the issue.

These changes are included in FG 1.2.8 which will be released soon.

For what is worth, MDN does recommend that all postMessage users verify the message syntax.

Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. (MDN)

marklieberman avatar Oct 06 '20 04:10 marklieberman

Thank you for your investigations! I really appreciate it.

pitgrap avatar Oct 06 '20 08:10 pitgrap

I recently noticed some issues with https://identity.lego.com. As soon as that website is opened an error message appears and it only appears when FG is active. Now I'm wondering if it is due to the same issue. Is there an easy way to test if it is due to the postMessage issue mentioned here?

Erim24 avatar May 17 '21 13:05 Erim24