Closed MicahZoltu closed 1 month ago
@MicahZoltu do you have an example of an extension that you did this with? Also where did you configure the "On Click"? I didn't see anything under brave://extensions/ (for extensions I had installed) and I didn't see anything under brave://settings/content
cc: @jonathansampson
@bsclifton you can install an extension like https://chromewebstore.google.com/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp and then go to brave://extensions/?id=pkehgijcmpdhfbdbbnkijodmdjhbjlgp and click this:
this is a security issue (IPFS/IPNS sites can bypass a user security setting) so i'm marking it p2.
cc @vadimstruts @SergeyZhukovsky
Hi @MicahZoltu, I tried to reproduce the problem following your steps, but everything seems to be working fine. Can you please look at the next videos, may be I did something wrong: OnLinux: https://github.com/brave/brave-browser/assets/118171981/f8ee5bcf-e1df-4f10-8fc5-1ccb06cecf9f OnWindows: https://github.com/brave/brave-browser/assets/118171981/c422fbad-a00f-4e45-97d1-fcb223983b3a
Hmm, that is bizarre, but I was able to narrow the issue further to hopefully help you reproduce. I watched your videos and everything on my end is exactly the same. I just tested with Privacy Badger extension specifically, and I get the same behavior as you. However, with 3 other extensions I get the reported behavior. 2 of them are installed off disk, one is installed from the store.
One thing that may be relevant is that all 3 of these extensions are Ethereum wallets. My settings at the time I reproduced this in Brave > Settings > Web3 for Default Ethereum wallet is "Extensions (no fallback)", in case that matters for reproducing.
Also not sure if it matters, but all three of them inject a content script that injects a script tag into the page.
Hi @MicahZoltu,
Could you please send me screenshot of the page: brave://extensions/
and "Details" for extension 1. The Firefox version of this extension (manifest v2) https://github.com/DarkFlorist/TheInterceptor/releases/tag/v0.0.79
?
Another interesting thing, it doesn't appear the extensions are actually injecting their content scripts into the page at all, even when clicked on. However, if I switch from "on click" to "on all sites" they start correctly injecting their content script into the page.
Given that, it may be possible to lower the priority from a security vulnerability to just a normal bug (though it will make me sad to see this go unfixed for longer). It seems that if you configure to "on click", these 3 extensions (at least) just stop working entirely for ipfs/ipns sites.
The IPFS local node and scheme has been deprecated
Description
When navigating to an IPNS site with Brave, extensions that are configured to only have site access when "On click" appear to automatically get enabled.
Steps to Reproduce
Actual result:
Extensions are automatically enabled for all pages accessed via IPNS scheme.
Expected result:
Browsing via IPFS/IPNS functions the same as browsing via HTTP/HTTPS.
Reproduces how often:
100% of the time.
Brave version (brave://version info)
Brave | 1.62.156 Chromium: 121.0.6167.139 (Official Build) (64-bit) Revision | 800674fc2c6162087525ed9b5bfc07230296b27d OS | Windows 11 Version 23H2 (Build 22631.3007)
Version/Channel Information:
Unknown
Other Additional Information: