Chrome 79 (planned Dec. 10th) badly breaks RECAP

[mlissner]

As described in #279, Chrome 79 will badly break RECAP. The reason for this is because we make requests from the extension's content script to the PACER websites. Previously, Chrome did not consider this a cross-origin request (or at least, Chrome allowed it), but starting in Chrome 79, this will no longer work.

These changes are described here: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

The solution to all this is to either get PACER to support CORS requests from RECAP (haha!) or to stop sending XHR requests to PACER from our content script. The way to do that is to move all those requests to our background script, and to make those requests via message passing to the background page.

[knowtheory]

To add some detail:

The way that RECAP works is to intercept form submission (by overriding submit on the form prototype on the page. i'm still 😱 about this†), and then fires off an AJAX request to the form target. The results from the AJAX request are either an interstitial page, a PDF, or an HTML page w/ a PDF iframed into it. The PDF data is pulled out of the response (or subsequent pages), and then processed & handled.

I don't know off hand whether the extension's background workers have the same origin as the content script on page, and we'll need to find out. If the background workers don't then, we'll need to figure out what CMECF/PACER/individual courts do about restricting request origins/CSRF, and if it's possible to do cross-origin requests, and if it's feasible to hand credentials from the page & the content script to a background worker.

† It's important to fire a single request on behalf of users and intercept the results because making a second request would incur additional costs to the user.

[mlissner]

I think the answer to whether background pages have the same origin is in the docs above:

Extension pages, such as background pages, popups, or options pages, are unaffected by this change and will continue to be allowed to bypass CORS for cross-origin requests as they do today.

Then later:

When cross-origin fetches are needed, perform them from the extension background page rather than in the content script. Relay the response to the content scripts as needed (e.g., using extension messaging APIs).

Or am I missing something?

[knowtheory]

Oh yep, that top graf is the operative one. Okay, i'm less worried then.

[mlissner]

OK, so @semenko has been poking at this, and he can't reproduce it. And I've been poking at it, and I can't reproduce it, so this is just generally frustrating, since we knew we had this issue previously. I even just ran:

google-chrome-unstable     --force-empty-corb-allowlist --enable-features=NetworkService

Then checked:

https://ecf.cacd.uscourts.gov/doc1/031031686578?caseid=748605

And still, it works fine. I'm not sure what to make of this.

[mlissner]

For lack of a better solution, I'm going to monitor this weekly. Seems like Chrome decided the way we do it is fine for some strange reason.

[mlissner]

2019-11-18: Still fine.

[mlissner]

2019-12-05: Still fine.

[mlissner]

Well, Chrome 79 is out. Closing for now, though its specter remains.