user.js: FYI: web_accessible_resources & UUID [Bug 1372288, 1405971]

NOTE: the vetting we did on system addons and some extensions is no longer maintained here, some checks were last updated in Feb 2018. It is up to you to vet your extensions for this issue.

Update (Dec 11th 2019)

1372288 - still open
1405971 - fixed FF73+

If we recommend a web extension, lets make sure it doesn’t leak UUIDs

@gorhill @mrdokenny @idlewan @tumpio @einaregilsson @meh @Synzvato @EFForg @kkapsner @greasemonkey @sibiantony

^^ sorry for all the @'s, hopefully this will bring it to your attention if you weren’t aware, and appreciate your time if you can spare it for a quick answer, otherwise we can dig in ourselves. This issue may be fixed by Mozilla, but it would be good to know if these WE’s are not affected, or can be fixed to not leak - thanks

Issue is here and some subsequent comments
PoC
ghacks article
Whitepaper
Update: 1372288 - ~~currently access denied, will be opened up soon~~
- Update2: 1405971

system addons

Activity Stream
Flyweb
Follow On Search
Form Autofill
Onboarding
Pocket
❌ Screenshots - requires user interaction with the WE - PoC
Shield
Web Compatibility Reporter

==> Screenshots is the only system addon affected ATM(!) ===> see .extension.getURL + path:browser/extensions/ web_accessible_resources

web extensions

CanvasBlocker - v0.4.0.2 has no web_accessible_resources
ClearURLs - v1.2 has no web_accessible_resources
Cookie Auto-Delete - v1.4.3 has no web_accessible_resources
Decentraleyes - v2.0.0beta1 * web_accessible_resources are declared but are never exposed to the DOM * see Synzvato’s comment below
Greasemonkey - v4.0 has no web_accessible_resources
Header Editor - v2.3.5 has no web_accessible_resources
HTTPS Everywhere - v2017.8.28.1337 has no web_accessible_resources
Link Cleaner - v1.5 has no web_accessible_resources - idlewan
Neat URL l - v2.0.5 has no web_accessible_resources
NoScript - v10.1.5.1 - has no web_accessible_resources
Request Control - v1.8.2 has no web_accessible_resources
Redirector - v3.1.0 has no web_accessible_resources
Skip Redirect - 2.2.1 has no web_accessible_resources
Smart Referer - v0.2.3 has no web_accessible_resources
ViolentMonkey - v2.8.10f - has no web_accessible_resources
uBlock Origin ¹
- starting with 1.15.7b0+ web_accessible_resources are declared but are never exposed to the DOM
- see gorhill’s comment below
uMatrix ¹ - does not declare web_accessible_resources - gorhill

^[1] and FYI the legacy versions do not expose resource://

other web ext

Stylus - v1.1.3.1 - has no web_accessible_resources

web extensions not ready yet

SSleuth - very unlikely to use web_accessible_resources - sibiantony

…

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 30 (8 by maintainers)

Most upvoted comments

Update:

The manifest key web_accessible_resources is now declared in the dev build of uBO (1.15.7b0+).

This is the only solution for the following uBO’s issues:

And this will also be the only solution to fix:

https://github.com/gorhill/uBlock/issues/3497

Firefox

These web accessible resources are never exposed to the DOM – hence uBO’s unique extension id on Firefox cannot be seen by web pages (just as with Decentraleyes).

Chromium

uBlock Origin (or any extension) on Chromium is not assigned a unique extension id, it is assigned a static extension id, used by all installations of uBO. This means that a web page could try to fetch a resource known to be “web accessible” in order to directly find out that uBO is installed – hence more information for fingerprinting (see http://singularity.be/public/papers/extensions.pdf).

This is essentially that leakage of information that prevented me from using web_accessible_resources to solve the above listed issues – that is until the solution described below has been implemented.

uBO foils such information leak by requiring that the fetching of any web accessible resource be done using a secret, which secret is randomly generated at launch time. Without the secret, known only to uBO, the fetch will fail as if the resource does not exist, as if web_accessible_resources is not declared.

Demonstration of such direct detection which is foiled by uBO:

Install AdBlock from the Chrome store: https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom
Open a new tab to any web page, say https://news.ycombinator.com/
Open dev console of the web page (press F12)

Paste the following in the console and hit Enter:

var xhr = new XMLHttpRequest(); xhr.open(‘get’, ‘chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/adblock-jquery-ui.custom.css’); xhr.onload = xhr.onerror = function(response) { console.log(‘AdBlock:’, (this.status===200 ? ‘DETECTED’ : ‘NOT detected’)); }; xhr.send();

Result if AdBlock is installed and enabled: AdBlock: DETECTED Result if AdBlock is not installed and enabled: AdBlock: NOT detected

However the above won’t work with uBO despite it now declaring web_accessible_resources:

Install uBO dev build from the Chrome store: https://chrome.google.com/webstore/detail/ublock-origin-dev-build/cgbcahbpdhpcegmbfconppldiemgcoii
Open a new tab to any web page, say https://news.ycombinator.com/
Open dev console of the web page (press F12)

Paste the following in the console and hit Enter:

var xhr = new XMLHttpRequest(); xhr.open(‘get’, ‘chrome-extension://cgbcahbpdhpcegmbfconppldiemgcoii/web_accessible_resources/to-import.txt’); xhr.onload = xhr.onerror = function(response) { console.log(‘uBO:’, (this.status===200 ? ‘DETECTED’ : ‘NOT detected’)); }; xhr.send();

Result if uBO dev build is installed and enabled: uBO: NOT detected Result if uBO dev build is not installed and enabled: uBO: NOT detected

Addendum (2018-02-17):

I experimented further with the case of XMLHttpRequest, which can expose the URL resulting from redirection (through responseURL, as noted by @Synzvato above), and I confirm that redirecting to “web accessible resources” for network requests of type xmlhttprequest will expose the extension id on both Firefox and Chromium.

As a result, I modified the code such that no redirection to web accessible resources will take place when dealing with xmlhttprequest – uBO will fall back to use data: URI in such case (uBO 1.15.7b2+). Redirecting to data: URI is currently broken on Firefox Nightly, but this is being addressed in https://bugzilla.mozilla.org/show_bug.cgi?id=1434357 (there is only a very few instances of such filter in uBO).

gorhill on Feb 17, 2018

Does someone know of another way to extract them?

@earthlng: Let me know. https://github.com/Theemim/GeckoScratchpadSnippets/blob/master/GeckoZipReader.js

Theemim on Sep 1, 2017

@Theemim holy shit man, you’re a fucking god! Thanks mate!! 👍 👍 👍 https://bugzilla.mozilla.org/show_bug.cgi?id=1352595 - it looks like, hopefully, for the time being it will only be used for nightly. Also found this: https://github.com/mcmilk/7-Zip-zstd/issues/26 (aaaaahhhhh shit, now I’ve cross-referenced it again! DOH!)

earthlng on Aug 31, 2017

Same with uMatrix, no web_accessible_resources, neither resource://.

gorhill on Aug 31, 2017

lets make sure it doesn’t leak UUIDs

uBO does not declare web_accessible_resources (webext), and neither expose resource:// (legacy) to outside world.

gorhill on Aug 31, 2017

In Link Cleaner’s case, it doesn’t inject anything into web pages and doesn’t have any web_accessible_resources, so it shouldn’t be affected.

idlewan on Aug 31, 2017

The system addons that came with nightly 57 can no longer be extracted with Windows Explorer on Win7. Do I really need to use a linux VM whenever I want to extract one of those bastards?! Does someone know of another way to extract them? Are there maybe even plans to pack normal addons in the same way in the future?! WTH mozilla, was that really necessary?!?

earthlng on Aug 30, 2017