From ea15fabad90228614462ed5c2879d01f9c3042d9 Mon Sep 17 00:00:00 2001 From: kkapsner Date: Fri, 14 Jun 2019 10:51:26 +0200 Subject: [PATCH] Race condition causes persistent rnd separation between containers to lea Fixes #369 --- lib/randomSupplies.js | 20 +++++++++++++++----- releaseNotes.txt | 1 + versions/updates.json | 4 ++++ 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/lib/randomSupplies.js b/lib/randomSupplies.js index a627b48..d333e9d 100644 --- a/lib/randomSupplies.js +++ b/lib/randomSupplies.js @@ -63,6 +63,7 @@ }; const settings = require("./settings"); + const logging = require("./logging"); const extension = require("./extension"); function getDomain(window){ @@ -81,7 +82,7 @@ } var persistentRnd = Object.create(null); - let cookieStoreId = ""; + let cookieStoreId = false; settings.onloaded(function(){ try { let storedData = JSON.parse( @@ -121,6 +122,18 @@ }); return function getPersistentRnd(window){ + while (cookieStoreId === false){ + logging.message("Starting synchronous request to wait for cookie store id."); + try { + let xhr = new XMLHttpRequest(); + xhr.open("GET", "https://[::]", false); + xhr.send(); + xhr = null; + } + catch (e){ + logging.verbose("Error in XHR:", e); + } + } var domain = cookieStoreId + getDomain(window); if (!persistentRnd[domain]){ // create the (sub-)domains random numbers if not existing @@ -144,10 +157,7 @@ persistentRnd[domain] = new Uint8Array(rnd); }; scope.persistent.setCookieStoreId = function(newCookieStoreId){ - if ( - typeof newCookieStoreId === "string" && - newCookieStoreId !== "firefox-default" - ){ + if (typeof newCookieStoreId === "string"){ cookieStoreId = ( newCookieStoreId !== "" && newCookieStoreId !== "firefox-default" diff --git a/releaseNotes.txt b/releaseNotes.txt index a0fa4dc..3e22de9 100644 --- a/releaseNotes.txt +++ b/releaseNotes.txt @@ -11,6 +11,7 @@ Version 0.5.11: fixes: - improved protection of (i)frame properties - document.write and document.writeln protection broke pages + - race condition causes persistent rnd separation between containers to leak known issues: - if a data URL is blocked the page action button does not appear diff --git a/versions/updates.json b/versions/updates.json index 0a56846..93c575a 100644 --- a/versions/updates.json +++ b/versions/updates.json @@ -17,6 +17,10 @@ { "version": "0.5.11Alpha20190612", "update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-0.5.11Alpha20190612-an+fx.xpi" + }, + { + "version": "0.5.11Alpha20190614", + "update_link": "https://canvasblocker.kkapsner.de/versions/canvasblocker_beta-0.5.11Alpha20190614-an+fx.xpi" } ] }