StackOverflow code appearing issue

[jthornton-0]

Description

When using certain websites like StackExchange (Tex.SE, Meta.SE, SO.SE), the application is causing a box of code to appear when clicking on the global inbox like so:

Those lines of code should not appear and it is apparently a bug on DuckDuckGo's side (the StackOverflow answer here and the answer to my Meta StackExchange question here explain in further detail that I cannot claim experience with).

Steps to Reproduce

1. Have the latest version of DuckDuckGo privacy extension
2. Go on StackOverflow
3. Click on the global inbox

Expected behavior: For there to be no code and for inbox to open without taking vertical space from the screen.

Actual behavior: The bug causes lines of code to appear due to this answer by Kaiido:

This is caused by your DuckDuckGo Privacy extension.

What happens is that they overwrite the document.createElement() method. In some cases that they believe are "interesting", they'll change the returned value of this method to a custom <ddg-runtime-checks> element. One such "interesting" condition according to them is when a script originating from ajax.googleapis.com calls this method with a "script" argument. The custom element will then itself act as proxy to the original element that should have been created. This allows them to catch all the modifications that are done on this element (apparently, it's mainly to read the src attribute of <script> tags).
Where this becomes problematic is that jQuery does need to create a dummy <script> element to check the default visibility of the element when we call $elem.toggle(), which is supposed to toggle the visibility of the elements in the jQuery object. The extension's script will replace the <script> element with its own proxy element, and will return a wrong "block" value for the display computed value, which should have been "none". So when jQuery will check if .toggle() should show the <script> element, it will think that yes, this element is normally visible, and thus needs to be shown, when actually, it shouldn't.

So, this is not a bug in Stack Overflow's script. You may want to let the authors of this extension know about this issue though, as they may not be aware of it and might want to fix it. If you do so, feel free to link them to this post. I guess they need to better handle the calls to getComputedStyle() so that their custom element returns the value of the proxified element.

Versions

• Extension: 2023.3.15.1
• Browser: Chrome: Version 111.0.5563.65 (Official Build) (64-bit)
• OS: Windows 10

Additional Information

The linked answers seem to diagnose the issues. I cannot replicate the issue on other sites but as StackOverflow and co are widely used and so is your application it may be significant.

I will also say that is a very new issue, I cannot recall this from a few days ago but the user in the StackOverflow Meta question reported it 7/8 days ago.

[jonathanKingston]

Hey!

Thanks for the detailed report here! We've remotely disabled the changes on Stack Exchange so that it's not causing an issue. We're going to roll out a fix for this soon.

Thanks!

[gparyani]

@jonathanKingston For completeness's sake, Stack Exchange Q&A sites are also hosted on the domains mathoverflow.net, askubuntu.com, superuser.com, serverfault.com, and stackapps.com. Even with the fix in place, users using one of these other sites will continue to face the bug until a fix is deployed.

Can those sites please be added to the list?

[jthornton-0]

@gparyani I came here to add that this issue still exists on superuser.com, hopefully will be fixed soon:

[gparyani]

@jthornton-0 It was worked around for Super User and the other four sites earlier this week, per the above code change.

[codeguru42]

I am still seeing this issue on Stack Overflow. I have version 2023.4.11 of this extension installed.

[jonathanKingston]

@codeguru42 this should now be fixed, sorry I forgot to turn the fix back on via the config when removing the mitigations for Chrome. 🤦🏻