chrome-token-signing icon indicating copy to clipboard operation
chrome-token-signing copied to clipboard

Published 20 hours ago verified publisher icon open-eid

Check content type of the page, before Promice JS injection

Open stanislav-degtjarjov opened this issue 7 years ago • 2 comments

As far, as Chrome handles pages depend on the content type, injection of the JavaScript into pages, where JavaScript is disabled, causes injection of the text.

Test page: https://www.w3.org/2001/XMLSchema-instance

Result image

Chrome version: Version 62.0.3202.94 (Official Build) (64-bit)

stanislav-degtjarjov avatar Dec 09 '17 14:12 stanislav-degtjarjov

Cannot find google documentation that there is possible to filter content-type https://developer.chrome.com/apps/manifest We need probably change the JS part so, that does not inject to html

metsma avatar Jan 09 '18 08:01 metsma

We are having same issue as this extension is injecting JS code into our emails in Mautic software (while editing email content/template). This affects our email deliverability as all outgoing emails from Mautic are going into receiver's spam folder because of this JS code. We cannot even disable this extension in the Google Chrome browser, solution would be to uninstall eID software which we do not want, because we need to sign documents too.

--_=_swift_1668510684_7119536567990e726f3ae2452431232c_=_
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><!DOCTYPE html><html lang=3D"en" xmlns=3D"http://www.w3.org/=
1999/xhtml" xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schema=
s-microsoft-com:office:office" class=3D" responsejs " style=3D""><head><scr=
ipt type=3D"text/javascript">// Promises=20
var _eid_promises =3D {};=20
// Turn the incoming message from extension=20
// into pending Promise resolving=20
window.addEventListener("message", function(event) {=20
    if(event.source !=3D=3D window) return;=20
    if(event.data.src &amp;amp;&amp;amp; (event.data.src =3D=3D=3D "backgro=
und.js")) {=20
        console.log("Page received: ");=20
        console.log(event.data);=20
        // Get the promise=20
        if(event.data.nonce) {=20
            var p =3D _eid_promises[event.data.nonce];=20
            // resolve=20
            if(event.data.result =3D=3D=3D "ok") {=20
                if(event.data.signature !=3D=3D undefined) {=20
                    p.resolve({hex: event.data.signature});=20
                } else if(event.data.version !=3D=3D undefined) {=20
                    p.resolve(event.data.extension + "/" + event.data.versi=
on);=20
                } else if(event.data.cert !=3D=3D undefined) {=20
                    p.resolve({hex: event.data.cert});=20
                } else {=20
                    console.log("No idea how to handle message");=20
                    console.log(event.data);=20
                }=20
            } else {=20
                // reject=20
                p.reject(new Error(event.data.result));=20
            }=20
            delete _eid_promises[event.data.nonce];=20
        } else {=20
            console.log("No nonce in event msg");=20
        }=20
    }=20
}, false);=20
=20
=20
function TokenSigning() {=20
    function nonce() {=20
        var val =3D "";=20
        var hex =3D "abcdefghijklmnopqrstuvwxyz0123456789";=20
        for(var i =3D 0; i &amp;lt; 16; i++) val +=3D hex.charAt(Math.floor=
(Math.random() * hex.length));=20
        return val;=20
    }=20
=20
    function messagePromise(msg) {=20
        return new Promise(function(resolve, reject) {=20
            // amend with necessary metadata=20
            msg["nonce"] =3D nonce();=20
            msg["src"] =3D "page.js";=20
            // send message=20
            window.postMessage(msg, "*");=20
            // and store promise callbacks=20
            _eid_promises[msg.nonce] =3D {=20
                resolve: resolve,=20
                reject: reject=20
            };=20
        });=20
    }=20
    this.getCertificate =3D function(options) {=20
        var msg =3D {type: "CERT", lang: options.lang, filter: options.filt=
er};=20
        console.log("getCertificate()");=20
        return messagePromise(msg);=20
    };=20
    this.sign =3D function(cert, hash, options) {=20
        var msg =3D {type: "SIGN", cert: cert.hex, hash: hash.hex, hashtype=
: hash.type, lang: options.lang, info: options.info};=20
        console.log("sign()");=20
        return messagePromise(msg);=20
    };=20
    this.getVersion =3D function() {=20
        console.log("getVersion()");=20
        return messagePromise({=20
            type: "VERSION"=20
        });=20
    };=20
}</script><script type=3D"text/javascript">// Promises=20
var _eid_promises =3D {};=20
// Turn the incoming message from extension=20
// into pending Promise resolving=20
window.addEventListener("message", function(event) {=20
    if(event.source !=3D=3D window) return;=20
    if(event.data.src &amp;amp;amp;amp;&amp;amp;amp;amp; (event.data.src =
=3D=3D=3D "background.js")) {=20
        console.log("Page received: ");=20
        console.log(event.data);=20
        // Get the promise=20
        if(event.data.nonce) {=20
            var p =3D _eid_promises[event.data.nonce];=20
            // resolve=20
            if(event.data.result =3D=3D=3D "ok") {=20
                if(event.data.signature !=3D=3D undefined) {=20
                    p.resolve({hex: event.data.signature});=20
                } else if(event.data.version !=3D=3D undefined) {=20
                    p.resolve(event.data.extension + "/" + event.data.versi=
on);=20
                } else if(event.data.cert !=3D=3D undefined) {=20
                    p.resolve({hex: event.data.cert});=20
                } else {=20
                    console.log("No idea how to handle message");=20
                    console.log(event.data);=20
                }=20
            } else {=20
                // reject=20
                p.reject(new Error(event.data.result));=20
            }=20
            delete _eid_promises[event.data.nonce];=20
        } else {=20
            console.log("No nonce in event msg");=20
        }=20
    }=20
}, false);=20
function TokenSigning() {=20
    function nonce() {=20
        var val =3D "";=20
        var hex =3D "abcdefghijklmnopqrstuvwxyz0123456789";=20
        for(var i =3D 0; i &amp;amp;amp;lt; 16; i++) val +=3D hex.charAt(Ma=
th.floor(Math.random() * hex.length));=20
        return val;=20
    }=20
    function messagePromise(msg) {=20
        return new Promise(function(resolve, reject) {=20
            // amend with necessary metadata=20
            msg["nonce"] =3D nonce();=20
            msg["src"] =3D "page.js";=20
            // send message=20
            window.postMessage(msg, "*");=20
            // and store promise callbacks=20
            _eid_promises[msg.nonce] =3D {=20
                resolve: resolve,=20
                reject: reject=20
            };=20
        });=20
    }=20
    this.getCertificate =3D function(options) {=20
        var msg =3D {type: "CERT", lang: options.lang, filter: options.filt=
er};=20
        console.log("getCertificate()");=20
        return messagePromise(msg);=20
    };=20
    this.sign =3D function(cert, hash, options) {=20
        var msg =3D {type: "SIGN", cert: cert.hex, hash: hash.hex, hashtype=
: hash.type, lang: options.lang, info: options.info};=20
        console.log("sign()");=20
        return messagePromise(msg);=20
    };=20
    this.getVersion =3D function() {=20
        console.log("getVersion()");=20
        return messagePromise({=20
            type: "VERSION"=20
        });=20
    };=20
}</script><script type=3D"text/javascript">// Promises=20
var _eid_promises =3D {};=20
// Turn the incoming message from extension=20
// into pending Promise resolving=20
window.addEventListener("message", function(event) {=20
    if(event.source !=3D=3D window) return;=20
    if(event.data.src &amp;amp;amp;amp;amp;&amp;amp;amp;amp;amp; (event.dat=
a.src =3D=3D=3D "background.js")) {=20
        console.log("Page received: ");=20
        console.log(event.data);=20
        // Get the promise=20
        if(event.data.nonce) {=20
            var p =3D _eid_promises[event.data.nonce];=20
            // resolve=20
            if(event.data.result =3D=3D=3D "ok") {=20
                if(event.data.signature !=3D=3D undefined) {=20
                    p.resolve({hex: event.data.signature});=20
                } else if(event.data.version !=3D=3D undefined) {=20
                    p.resolve(event.data.extension + "/" + event.data.versi=
on);=20
                } else if(event.data.cert !=3D=3D undefined) {=20
                    p.resolve({hex: event.data.cert});=20
                } else {=20
                    console.log("No idea how to handle message");=20
                    console.log(event.data);=20
                }=20
            } else {=20
                // reject=20
                p.reject(new Error(event.data.result));=20
            }=20
            delete _eid_promises[event.data.nonce];=20
        } else {=20
            console.log("No nonce in event msg");=20
        }=20
    }=20
}, false);=20
function TokenSigning() {=20
    function nonce() {=20
        var val =3D "";=20
        var hex =3D "abcdefghijklmnopqrstuvwxyz0123456789";=20
        for(var i =3D 0; i &amp;amp;amp;amp;lt; 16; i++) val +=3D hex.charA=
t(Math.floor(Math.random() * hex.length));=20
        return val;=20
    }=20
    function messagePromise(msg) {=20
        return new Promise(function(resolve, reject) {=20
            // amend with necessary metadata=20
            msg["nonce"] =3D nonce();=20
            msg["src"] =3D "page.js";=20
            // send message=20
            window.postMessage(msg, "*");=20
            // and store promise callbacks=20
            _eid_promises[msg.nonce] =3D {=20
                resolve: resolve,=20
                reject: reject=20
            };=20
        });=20
    }=20
    this.getCertificate =3D function(options) {=20
        var msg =3D {type: "CERT", lang: options.lang, filter: options.filt=
er};=20
        console.log("getCertificate()");=20
        return messagePromise(msg);=20
    };=20
    this.sign =3D function(cert, hash, options) {=20
        var msg =3D {type: "SIGN", cert: cert.hex, hash: hash.hex, hashtype=
: hash.type, lang: options.lang, info: options.info};=20
        console.log("sign()");=20
        return messagePromise(msg);=20
    };=20
    this.getVersion =3D function() {=20
        console.log("getVersion()");=20
        return messagePromise({=20
            type: "VERSION"=20
        });=20
    };=20
}</script>
    <title>
        [TEST] DE / BENELUX - AT / IT roundtrips, price: 1.32=E2=82=AC/km (=
empty and loaded)
    </title>
    <meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge" />
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8=
" />
    <meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=
=3D1" />
    <link href=3D"https://fonts.googleapis.com/css?family=3DOpen+Sans:300,4=
00,500,700" rel=3D"stylesheet" type=3D"text/css" />
    <style type=3D"text/css">
        #outlook a {
            padding: 0;
        }

matbcvo avatar Nov 15 '22 11:11 matbcvo

Thank you for the feedback. I will close this issue since the active development and management of the Token Signing component has ended due to the transition to the new web authentication and signing solution (Web eID). We are happy to accept your proposals in the new Web eID project repository: https://github.com/web-eid.

kristelmerilain avatar Sep 01 '23 05:09 kristelmerilain