Chrome store extension doesn't think client.etesync.com is good.

[alanruttenberg]

I get a red x using both Chrome and Chromium. The Firefox extension says the site is signed properly. I verified the extension works in general with the good/bad pages.

I addition, loading the unpacked extension in ungoogled chromium complains about an error.

[rugk]

Which Chrome/ium version?

[tasn]

The manifest issue doesn't look like an error, but rather a warning. It's a known thing, Chrome isn't aware of the "applications" section at the moment (as you can see, it's there to indicate a minimum Firefox version). It's safe to ignore...

[tasn]

As for not thinking client.etesync.com is good. Works for me here, Chrome version: 73.0.3683.75 (Official Build) Arch Linux (64-bit)

Settings are the ones from the official EteSync file: https://www.etesync.com/static/signed-pages.62b857c9583f.txt

Edit: maybe you have an extension installed that's editing the content of the page?

[rogerm4242]

I am also currently seeing this described behaviour with Chrome 74.0.3729.131-1 Ubuntu (64-bit).

The example pages work as expected: https://stosb.com/~tom/signed-pages/good.html shows good. https://stosb.com/~tom/signed-pages/bad.html shows bad.

But all pages I have seen at https://client.etesync.com show bad.

Edit: Firefox on the same machine shows OK.

[tasn]

This is so interesting! I finally managed to reproduce it. It doesn't happen to me if I enter client.etesync.com nor if I refresh the page, but it does happen if I do a full refresh (Shift + refresh)! Only on Chrome. I'll have to take a look into this, thanks for reporting!

[Zvezdin]

I can confirm that while the good/bad examples work as expected, neither pim., nor client. sites pass verification. No other extensions enabled (incognito mode), and using any way to load the page (click on a link, enter url, full refresh). Any thoughts?

[tasn]

It's only getting worse with manifest v3 (new chrome plugin architecture) which makes this plugin even harder to get working on Chrome. :|

[Zvezdin]

What's the issue there? How feasible/doable would it be to have 100% sig verification of a modern react app post-manifest-v3?

[tasn]

Actually, I think I may be misremembering, and it's feasible to do the verification, just not the automatic blocking of non-verified scripts (which is also terrible).

As for the issue with the current version of the Chrome plugin (vs Firefox): Firefox lets you get the script as is, Chrome forces us to get the script from the DOM and try to make a consistent canonical version.