Modifying Navigator Object Topic is solved

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Modifying Navigator Object

Unread post by RealityRipple » 2021-06-19, 20:52

I'm working on an extension to add support for a new function in the "navigator" object, but I can't get it to show up in the window.navigator instances which webpages access, only in the global navigator object or its prototype, which I don't want. Is there any way to modify the navigator object before a window instantiates it or otherwise add to it despite it being read-only?

New Tobin Paradigm

Re: Modifying Navigator Object

Unread post by New Tobin Paradigm » 2021-06-19, 22:17

I don't think so.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Modifying Navigator Object

Unread post by Moonchild » 2021-06-19, 22:51

Indeed not possible as far as I know. It's a read-only IDL interface, all that's hard-coded.
Why not use your own namespace anyway?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Modifying Navigator Object

Unread post by RealityRipple » 2021-06-19, 22:58

Moonchild wrote:
2021-06-19, 22:51
Why not use your own namespace anyway?
Because I'm implementing a draft spec, not creating something private, and the spec says the function should be a child of a new object in "navigator". It's a really shitty spec, anyway, tho.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Modifying Navigator Object

Unread post by Moonchild » 2021-06-19, 23:09

It'd probably help if you'd be less vague about what you're trying to implement ;)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Modifying Navigator Object

Unread post by RealityRipple » 2021-06-19, 23:22


New Tobin Paradigm

Re: Modifying Navigator Object

Unread post by New Tobin Paradigm » 2021-06-19, 23:24

What garbage..

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Modifying Navigator Object

Unread post by RealityRipple » 2021-06-19, 23:29

Like I said. However, it's better than the bottom third of every page being covered by a banner, so I figured I'd get something that can say "no" to sites that might end up supporting it as soon as I could.

Edit: Their site has a Firefox WebExtension mockup which does some of the most nasty JS proxying ever. If I were an AV suite, I'd mark that code as malicious. Literally funnels all page scripting through a function just so it can overwrite navigator.

User avatar
seadragon
Hobby Astronomer
Hobby Astronomer
Posts: 20
Joined: 2021-06-18, 04:39

Re: Modifying Navigator Object

Unread post by seadragon » 2021-06-20, 03:43

I don't believe this is any kind of web standard (now)... You can wait until other browsers implement it, if they do.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Modifying Navigator Object

Unread post by Moonchild » 2021-06-20, 07:10

RealityRipple wrote:
2021-06-19, 23:29
it's better than the bottom third of every page being covered by a banner,
Sites will do that anyway (despite this implementation) to cover their ass because CEOs who don't know will tell their web people to.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Modifying Navigator Object

Unread post by RealityRipple » 2021-06-24, 19:56

I think I found a safe way to do this:

Code: Select all

var cls =
{
 init: function()
 {
  observerService.addObserver(cls.documentCreated, 'content-document-global-created', false);
 },
 documentCreated:
 {
  observe: function(subject, topic, data)
  {
   if (topic !== 'content-document-global-created')
    return;
   if (!(subject instanceof Window))
    return;
   if (!(subject.navigator instanceof Navigator))
    return;
   let nav = Components.utils.waiveXrays(subject.navigator);
   let dpc = {
    request: function(consentRequestsList)
    {
     let p = new subject.Promise((resolve, reject) => {
      resolve('dummy');
     });
     return p;
    }
   };
   let dpclone = Components.utils.cloneInto(dpc, nav, {cloneFunctions: true});
   nav.dataProtectionControl = dpclone;
  }
 }
}
addEventListener('load', cls.init, false);
Last edited by RealityRipple on 2021-06-25, 01:23, edited 3 times in total.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Modifying Navigator Object

Unread post by Moonchild » 2021-06-25, 00:16

Just be sure you fully understand the impact of waiveXrays().
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Modifying Navigator Object

Unread post by RealityRipple » 2021-06-25, 00:26

Yeah, it's pretty scary. But as long as it's only passed around directly from function to function, and not used as the parent of anything, no other extensions should be able to access it, let alone content code. I think. Promises don't have a "parent" property, do they? Pretty sure that would be the only place it would potentially get dicey.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Modifying Navigator Object

Unread post by Moonchild » 2021-06-25, 00:35

Yeah just makes sure you aren't using it on anything that has sensitive stuff in it or its children. Waiving Xrays is transitive. So... NEVER use it on a global or window object, or something that inherits a global or window object or you'll expose internal/chrome APIs to content and that is something you want to avoid at all costs. So please examine closely what "subject" you pass in here. I'd be more at ease if you actually do a sanity check on the subject first so that nothing else can be passed into that function and have its Xray vision waived. (i.e.: check if the subject is what you expect and bail with an error otherwise, so no other code can abuse your extension as a security hole).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Modifying Navigator Object

Unread post by RealityRipple » 2021-06-25, 00:59

Ah shit. Subject's an nsIDOMWindow for content-document-global-created. I'll have to see exactly what needs to get through Xray vision and just waive that object/those objects.

Edit: Switched to waiveXrays(subject.navigator) instead. It triggers a
Security wrapper denied access to property "then" on privileged Javascript object. Support for exposing privileged objects to untrusted content via __exposedProps__ is being gradually removed - use WebIDL bindings or Components.utils.cloneInto instead. Note that only the first denied property access from a given global object will be reported.
warning but the destination page still gets the result as expected. If I can make the promise on a content object instead of the window, maybe it'll silence it...

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Modifying Navigator Object

Unread post by Moonchild » 2021-06-25, 02:09

You create the promise as subject.Promise which is a promise on the nsIDOMWindow object. So that is outside of the transitive scope. If you fix that (somehow!) then I guess you'll be avoiding privilege bleed and the warning would go away.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Modifying Navigator Object

Unread post by RealityRipple » 2021-06-25, 02:37

I was hoping either "content" or "subject.content" would point to the document's context of "window" rather than chromespace's. It appears they do not. This is gonna be annoying.

Edit:
I just tried passing the window object from the page's javascript as a second parameter to request(), and got the same warning. The console printout of it also looks pretty identical to subject.

The weird thing is I'd expect not to get a return value in the page script if it actually denied access to the "then" property like it says, but the response is spit out just fine, before the warning even.

Even weirder, when I actually use ".then()", no warning shows up. Only when I use "await". Something to do with the context of async/await's underlying system?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Modifying Navigator Object

Unread post by Moonchild » 2021-06-25, 08:10

Why are you using promises anyway for this?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
RealityRipple
Astronaut
Astronaut
Posts: 644
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Modifying Navigator Object

Unread post by RealityRipple » 2021-06-25, 14:45

The request() function has to be async by spec (and so it waits while the user is shown a doorhanger or prompt dialog). I can't define request() as a normal async function because its "then" doesn't get exposed to the content script at all if I do.

Off-topic:
Tbh I'm thinking this is already more trouble than it's worth for this shit demi-standard, even if you can do fun things like this with it:

Image

New Tobin Paradigm

Re: Modifying Navigator Object

Unread post by New Tobin Paradigm » 2021-06-25, 16:53

Wait a fucking minute. You are spawning doorhangers from isolated content code?

Locked