With extensions enabled on an account, the desktop client fails to sync when GitHub is inaccessible.

[sneak]

I had some extensions enabled on my account. When using the desktop client 3.4.1 on macOS, when github.com is firewalled/inaccessible, the syncing/saving of notes to and from the sync service (independent of github) seems to fail. I had to use a different host to log into my account and uninstall all extensions and then delete the ~/Library/Application Support/Standard Notes directory and log back in to restore the ability to save notes.

I feel like it's a bug for syncing (to the Standard Notes sync service) to fail when GitHub (which is not involved in sync) is inaccessible by the client.

[JaspalSuri]

Hi, thank you for reporting this issue. I will pass it along to our web and desktop app dev.

[moughxyz]

GitHub is in no way tied to syncing. I'd need more details on the issue you experienced to determine the actual cause. You can open the Developer Console > Network tab to see what requests are failing. If you're using the plain editor and try to sync with GitHub blocked, it should definitely not cause any problems. If you try downloading an editor on the other hand, that operation would fail with GH blocked.

[sneak]

The failing requests were showing up as (null). I encourage you to reproduce the problem yourself, as I will likely not be able to do so. I have disabled all extensions and editors (sad, because I am a paying user specifically to get better editors) and don't wish to further affect my main, daily-driver account, and I'm not about to pay a second time just to reproduce a bug.

Personally, after all the song-and-dance about an untrusted sync server, I feel like it should be front and center on the payment page that if you become a paying customer, you have to give Remote Code Execution (RCE) ability to the operators of github.com for extensions to work. My (inaccurate) presumption was that they could be downloaded and installed and would not do things such as have independent autoupdate settings (I have autoupdate turned off for SN) or otherwise access the network (they do). Had I known that this "don't trust the server" privacy software actually trusts the 3P server immensely (RCE) and, in fact, does not even function without connectivity to the 3P server (this bug), I would not have purchased it.

You can reproduce it by creating an account, creating some notes, and adding a few editors and extensions to your account. Quit the app, and DNS or L3 blackhole github.com. Relaunch it, and edit a note. You will lose data.

PS: All extensions should respect the global autoupdate setting set in the app (and not have to have autoupdate turned off for each extension) and "use hosted version" should always default to off. Otherwise, it is unsafe to use SN in places with hostile networks.

[sneak]

Oh, good news. I had forgotten that I screenshotted the issue at the time.

Maybe don't minify the app in desktop builds? I recall trying to find the call stack that kept failing and it was a mess.

[moughxyz]

Thanks for the details. I believe what likely happened is that the failing extension downloads overwhelmed the app to the point that it never got the chance to run the syncing code. But I'll have to verify this more. Regarding the extensions model, they do not have Remote Code Execution privileges. Extensions are in a sandboxed iframe and have no access to your system. But this is why we allow the option on the desktop app to disable hosted version access nonetheless. This leaves the download CDN. We are in the process of taking more control over our CDN and download infrastructure after hiring a full time dev ops engineer. Building all this out in the past would not have been possible without GH taking over some of the load for us, but it will be possible now, and this is the direction we're heading in. I just can't say exactly how long it will all take.

[sneak]

The "uninstall" buttons (or maybe the "deactivate" ones) were strobing at the time.

[sneak]

Correct me if I'm wrong, but extensions that are editors have access to the content of the note being edited, do they not?

[arielsvg]

After having authorized the extension to view your note, yes. However (assuming this is your concern) the extension is still stuck in an iframe with a strict content security policy so it can't do anything other than change the note's content.