Ff >= 45 breaks Object.defineProperty via script injection from a content script

rasdev · March 11, 2016, 4:35pm

Hello all.

In my addon Random Agent Spoofer I create a script (ras_script) inside a content script which is then added to each page. The content of the created script depends on the options the user has selected in the addon’s UI.

so for each page we have

pagemod -> content script -> ras_script

The created script (ras_script) makes use of the Object.defineProperty method to override certain attributes such as window size and navigator.vendor and so on. Prior to firefox 45 it ran in the context of the webpage before the pages scripts and when the page requested details about the browser it would get those spoofed values.

It stopped working in firefox 45 and I have been trying to fix it since. I have debugged various aspects of it and I can’t seem to find a way to fix it.

I can confirm that the content script is running correctly as I can alert messages from it.

I can also confirm that the parameters are being passed to the content script as I can alert them back too.

I can also alert back the properties I have overwrote with Object.defineProperty such as the vendor however any values I have overwritten are not being reflected in any of the test pages that work on firefox 44 such as http://browserspy.dk/screen.php .

I can also confirm that the created ras_script is being executed as I can alert from it and change the background color.

With the above being said I think it is a timing issue and that something could have changed within the PageMod contentScriptWhen code ? as previously the ras_script was executed before any other scripts due to contentScriptWhen: start

PageMod Code

Content Script

Addon on AMO and Github

I have also tested with e10s enabled and disabled and it made no difference.

I have tried everything I can think of now at this stage to try fix this so if anyone has any ideas let me know

Thanks

Lithopsian · March 11, 2016, 11:26pm

Are you allowed to do this from a content script? Maybe no longer? Have you tried it from a frame script?

Or if you think it is a timing issue, have you tried backgrounding the whole thing for 10 seconds? Or maybe explicitly waiting for a document load event and then trying to modify the properties.

There is this bug which has the right timing and is about content script permissions. It is aimed at WebExtensions content scripts, but might be affecting you.

devan.shah14 · March 12, 2016, 7:29pm

Hello

I am also facing a similar issues that is outlined here on Firefox >= 45.

I am using Firefox extensions (xpi) to access the webpage document which contains something like document.validationObject = {} but in the chrome extensions env I am not able to access changes to the document.validationObject which were made. Was there any change in relation to this?

Thanks

rasdev · March 30, 2016, 11:19am

Hi Lithopsian. Thanks for your reply, I appreciate it.

The addon is fully reviewed on AMO so if there was an issue in terms of being allowed I would expect it would have been dealt with there.

As for the frame script, I have not tried it thus far.

I tried backgrounding it and listening for a document load event and it had no effect.

I have given up on my current approach and I will now try the frame scripts. The canvas blocker addon currently uses frame scripts to spoof and block canvas readouts . So I am going to try that and see if it works.

Thanks again for your reply