Breaks Tuxedo computer list

[LinAGKar]

Describe the bug

When going to the page https://www.tuxedocomputers.com/en/Linux-Hardware/Linux-Notebooks/Alle.tuxedo#!#1275,1319 with ruffle installed and "play flash content in Ruffle" enabled, nothing is listed. In the network panel I see it trying to load https://www.tuxedocomputers.com/en/Linux-Hardware/Linux-Notebooks/index.php?module=tuxedoList&type=api, and getting a 404, whereas without Ruffle it loads https://www.tuxedocomputers.com/index.php?module=tuxedoList&type=api

With Ruffle: Without Ruffle:

Expected behavior

Ruffle should not affect the webpage at all. There is AFAIK no Flash content on the page

Affected platform

Browser's extension

Operating system

OpenSUSE Tumbleweed

Browser

Mozilla Firefox 114.0.2

Additional information

No response

[n0samu]

Somehow when Ruffle is enabled, the URL of the XMLHTTPRequest is being set to index.php instead of /index.php. Their site JavaScript is very difficult to untangle though...

[LinAGKar]

As a Linux store doing a bunch of open-source stuff, maybe it's possible to ask for the source for their site

[n0samu]

That would be very much appreciated! Particularly the unminified version of https://www.tuxedocomputers.com/store_files/3/themes/tuxedo/js/min/js.min.js

[torokati44]

You could also try emailing feedback@tuxedocomputers.com about this issue, with a link to here.

[LinAGKar]

I've sent them a support request

[n0samu]

I took another look at this and managed to figure out what the problem is. The problem starts with this code:

var DIR_WS_CATALOG;
$('script').each(
  function () {
    if (typeof $(this).attr('src') !== 'undefined') {
      var script = $(this).attr('src');
      DIR_WS_CATALOG = script.substr(0, script.indexOf('store_files'))
    }
  }
);

Later on, the DIR_WS_CATALOG is used like this:

$http.post(DIR_WS_CATALOG + 'index.php?module=cartAPI&type=api', params)

This means that the site's code determines the base URL to use for API requests by looking at the src attribute of the last script tag on the page that has an src attribute. It looks for the "store_files" string within the src to determine where the base URL ends. This is an extremely fragile and error-prone approach because it relies on the script tags on the page being in a certain order and none being added at the end. Furthermore, instead of verifying that the script tag's src attribute actually contains the "store_files" string, the code simply returns an empty string if it is not present.

Unfortunately the Ruffle extension's functionality depends on inserting a script tag into each page you visit. So when the Ruffle extension is enabled, the site's code tries to determine the API's base URL using the Ruffle extension's script tag. DIR_WS_CATALOG is set to the empty string instead of the expected value, /. That explains the wrong XMLHTTPRequest that I observed before.

Working around this poor code is not really feasible, but we can add the site to our blacklist to prevent the extension from running on the site, if necessary. I would prefer if the site would fix their code though - it might even save them a headache or two in the future. 😉

Here is the simplest fix that comes to mind:

var DIR_WS_CATALOG;
$('script').each(
  function () {
    if (typeof $(this).attr('src') !== 'undefined' && $(this).attr('src').indexOf('store_files') !== -1) {
      var script = $(this).attr('src');
      DIR_WS_CATALOG = script.substr(0, script.indexOf('store_files'))
    }
  }
);

[torokati44]

Did you get any response since, @LinAGKar? If not, would you mind following up with this newfound insight above?

[LinAGKar]

I never got a response from them, other than "I will be happy to forward your comments to our specialist department, and they may soon fix this issue."

I now sent them a note about the new info.

[tuxedoherbert]

Hi and thank you again for your feedback! We've seen that this is a "problem" only with ruffle but we will have a look into it to solve these for everybody soon!

[n0samu]

Great, thank you!

[n0samu]

I've added the site to our exclusion list in #12650, so this will be resolved once the new extension version makes it onto the Mozilla and Chrome web stores

[tuxedoxt]

Hello,

I've had a look at the offending script :grin: I'd rather like to get rid of the way the path is determined and inject it in a different way. I'll try to push this through soon-ish.

[divinity76]

Hi and thank you again for your feedback! We've seen that this is a "problem" only with ruffle but we will have a look into it to solve these for everybody soon!

Ruffle is far from the only extension injecting scripts. Wappalyzer is another one ( https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/ ), and "Super Great Video Downloader" is another ( https://chrome.google.com/webstore/detail/super-great-video-downloa/apphjfeloooogkfiddpeogehbnhhepic - I'm not familiar with the modern versions, but back when they used the name "Flash Video Downloader", it was injecting scripts at least. ), and there's plenty more