-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enabling users to remove window.ipfs
attribute
#451
Comments
Now that we have different manifests for different builds we could fix this in Firefox by moving the |
This change enables Firefox users to disable creation of window.ipfs, solving fingerprinting issue raised in: #451 The key difference between tabs.executeScript and contentScripts API is that the latter provides guarantee to execute before anything else. Chrome does not provide contentScripts API and we need to statically load content_script via manifest. More info on the underlying issue: #368 #362 (comment)
This change enables Firefox users to disable creation of window.ipfs, solving fingerprinting issue raised in: #451 The key difference between tabs.executeScript and contentScripts API is that the latter provides guarantee to execute before anything else. Chrome does not provide contentScripts API and we need to statically load content_script via manifest. More info on the underlying issue: #368 #362 (comment)
This change enables Firefox users to disable creation of window.ipfs, solving fingerprinting issue raised in: #451 The key difference between tabs.executeScript and contentScripts API is that the latter provides guarantee to execute before anything else. Chrome does not provide contentScripts API and we need to statically load content_script via manifest. More info on the underlying issue: #368 #362 (comment)
This PR enables Firefox users to disable creation of `window.ipfs` attribute via _Preferences_ screen, solving fingerprinting issue raised in #451. It requires webpack, so should be merged after #498 ### Background Existing `tabs.executeScript` API with `runAt: 'document_start'` flag was executing too late and page scripts were unable to detect `window.ipfs` correctly. More info on the underlying issue: #368 #362 (comment) As a workaround that worked in both Chrome and Firefox, we were forced to always load content script via manifest definition. This meant no control over when it is loaded and no easy off switch. If `window.ipfs` was disabled via _Preferences_, it was throwing an Error on access, but remained in the scope. Mozilla added [`contentScripts`](https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/contentScripts/register) API in Firefox 59. The key difference between `tabs.executeScript` and `contentScripts` API is that the latter provides guarantee to execute before anything else on the page, passing [our synchronous smoke test](https://ipfs-shipyard.github.io/ipfs-companion/docs/examples/window.ipfs-fallback.html). ### Known Issues Chrome does not provide `contentScripts` API so it will continue to statically load `content_script` via manifest. Hopefully with time, other browser vendors will adopt the new API.
Enabling users to remove
|
window.ipfs
attribute
That is a valid point.
window.ipfs
is always present (even if access is disabled via Preferences), and can be used for fingerprinting.window.ipfs
should not be created ifwindow.ipfs
is disabled via Preferences.The text was updated successfully, but these errors were encountered: