search

languagetool-org / languagetool-browser-addon

LanguageTool Firefox and Chrome Add-on (OUTDATED)
Other
129 stars 53 forks source link

Extension blocked by Content-Security-Policy (CSP) #234

Closed da2x closed 5 years ago

da2x commented 5 years ago
  1. Install the LanguageTool extension
  2. Open your browser developer console
  3. Open any page with a strict Content-Security-Policy (e.g. https://feed.ctrl.blog/latest)

Expected:

no problems.

Actual:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). latest:1:1
Content Security Policy: The page’s settings blocked the loading of a resource at data:font/woff2;base64,d09GMgABAAAAADKgA… (“default-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at data:font/woff2;base64,d09GMgABAAAAADB4A… (“default-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at data:font/woff2;base64,d09GMgABAAAAABDIA… (“default-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at data:font/woff2;base64,d09GMgABAAAAABkIA… (“default-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at data:font/woff2;base64,d09GMgABAAAAABqsA… (“default-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at data:font/woff2;base64,d09GMgABAAAAABUkA… (“default-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at data:font/woff2;base64,d09GMgABAAAAAB4AA… (“default-src”).

Some notes: Extensions are responsible for rewriting the Content-Security-Policy header to allow for injecting their content scripts and styles . You can see an example here.

Just drop the webfonts. The browser's default font is fine, right? Loading fonts on every page is bad for performance. Loading them as data strings also means they're not shared between tabs.

tiff commented 5 years ago

Just a quick note here: We can't do this because this would require us to change the permissions in the manifest.json to have webRequest permission. Every user would need to confirm this in order to use the extension again

tiff commented 5 years ago

I found a different way of solving this. Fonts aren't loaded anymore as data uri but as a normal http request. Whitelisting the source in the manifest.json (web_accessible_resources) helps to bypass the CSP of the website. Should be fixed with version 2.4 (will be released in the next 1-2 weeks)

da2x commented 5 years ago

Doesn't that approach expose users to tracking?

tiff commented 5 years ago

Unfortunately, usage of LT addon is easily detectable anyways. We modify the DOM structure around text fields. A website wouldn't need to check if a certain font is available, instead they could just use a text field and look for specific LT-related DOM elements.

If you've an idea on how to avoid this, I'm open to discussing it.