Re: [tor-bugs] #1816 [Torbutton]: Create a prototype Content Script for Google Chrome

["Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>]

#1816: Create a prototype Content Script for Google Chrome
-----------------------+----------------------------------------------------
 Reporter:  mikeperry  |       Owner:  mikeperry
     Type:  task       |      Status:  new      
 Priority:  normal     |   Milestone:           
Component:  Torbutton  |     Version:           
 Keywords:             |      Parent:  #1770    
-----------------------+----------------------------------------------------

Comment(by mikeperry):

 Alright! Thanks to some more help from my brother, I've got this working.
 We can't use a script.src url directly, because then Chrome delays the
 load until it starts loading other page elements. However, we can stuff
 the thing into a function closure and then use .toString() to shove that
 into script.innerHTML.

 The prototype I have cloaks timezone, resolution, and javascript-available
 user agent and plugin information. It has a few issues:

 1. It's not clear if the script.innerHTML trick is just allowing us to win
 a race, or if we are actually assured to run before all page script
 because we use "run_at": "document_start" in our manifest.

 2. It's not clear if we've covered enough protocols in our permissions
 section of the manifest, especially if Javascript can register custom
 protocol handlers like it can in Firefox.

 3. We cannot actually yet actively request that the addon be run in
 Incognito mode. The user has to manually tick a checkbox before it does
 anything at all (because it only works in Incognito mode).

 4. It's not clear if we successfully defeat all the anti-js-rootkit stuff
 that Greg Fleischer did against Torbutton a few years back. All his tests
 do fail out of the box, though.

 5. There are still other issues that remain with a proper Tor mode, most
 notably:
    A. Incognito specific proxy settings that are DNS-leak safe.
    B. Preventing plugins from loading, or otherwise muzzling/sandboxing
 them
    C. Blocking versions of the WebRequest APIs.
    D. Preventing external apps from being launched without a proper
 warning
    E. Odd bits of SSL state and other things that may still persist in
 Incognito mode

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1816#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs