-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spoof navigator.webdriver
to false
#526
base: master
Are you sure you want to change the base?
Conversation
The actual executed code is located in "automation/Extension/spoof.js"
The parameter equals `false` by default, that is the spoofing is disabled by default.
This is very well done, and I apologize for taking so long to get to this review. Thanks so much for the contribution! I've just tested this on the Google login flow (which prevent browsers that have been automated from logging in), and the spoofing fools it. Would you mind to rename the I would also appreciate a simple test page that checks if the webdriver attribute is set with and without this change. Aside from that, these changes look great! |
Of course. Your suggested name is more appropriate. I will change this tomorrow.
Do you mean something like this? I created this test that reads the |
Yes exactly! And thanks for letting me know that it doesn't apply to dynamically created iframes. Do you know the cause? Just wondering if that's also true for the way we inject instrumentation. As an example of how to build an automated test from your current test page you can look at our test page from when we previously masked this attribute. |
The MDN page about content scripts mentions:
I think this is the cause. Then, indeed, it would also apply to the injected instrumentation. The creator of the user-agent-switcher extension I oriented the code at also dealt with this issue. He tracks added iframes and applies the JavaScript proxy overwrite to them. A first test shows using his solution would work as a fix for the |
Thanks, I think we missed that during the move from the addon-sdk to WebExtensions. I filed #545 to investigate. |
This renames `spoof_navigator` to `hide_webdriver` to be more descriptive.
I think your approach may cause some breakage. Take a look at: |
Previously, `navigator` functions such as `javaEnabled` were not proxied correctly and lead to broken pages (for example embedded YouTube videos).
Indeed. I pushed a fix for this issue. Here they did fix the problem but because of the comment "Workarounds for Firefox 68 and below" I did not suspect this to be still a problem. |
So, there is a further detection method. Using
the original @englehardt Is it for a specific reason OpenWPM disabled the pop-up window protection? As far as I understand the setting modification originates from |
Do you know why the extension doesn't inject a content script into the newly created window? Is it simply that the script is able to access the webdriver attribute before the happens or is this related to #526 (comment)?
This wasn't changed by us. The file you've referenced is part of the firefox profile library (https://github.com/saadtazi/firefox-profile-js), which is required by the I suspect the reason it's set to false is that Selenium is primarily meant for website testing where site owners may want to run through tests that continually open new windows without user interaction. That's not as important to us, and it seems more true to the actual use experience to block those popups. So, I'm happy to set that pref back to true. Are you up for doing that in this PR? Also, do you expect to be able to add automated tests to the test suite to check for this property? If not, I'll merge this as is and file a follow-up bug for tests. |
We suspect this setting is set to `false` by Selenium. It is now manually overwritten such that pop-up windows are blocked by default. See discussion in openwpm#526.
Previously, in iframes the original `navigator` values could be accessed. Now, this is only possible via `window.frames[0]`/`window[0]` (which is the same). Again thanks to Alexander Schlarbs User Agent Switcher extension for the code.
I could not find out yet why this happens. It opens an
Already done :) I hope Further, I migrated the iframe solution mentioned earlier. This does not prevent all access methods but does its best, see the commit description. I also updated the test page to cover all combinations I am aware off, including the
That depends on how easy it is to integrate my test page. I looked into your reference how testing was done previously. JavaScript code was executed via Selenium. But for my test page the timing is relevant as earlier access to JavaScript properties makes a difference. Do you think it is easy to read the results of my test page from the HTML page (they are dynamically added in a HTML list) into the Python test? Or is there a more appropriate solution? I am not advanced in writing such tests so maybe adjusting my test page to also write the results in a JSON structure that can be accessed by Selenium in Python or so will be easier. |
@englehardt Any news on this? Momentarily, I have not much time. But if you want to merge the current status I am fine with adding automated tests in a few weeks when I have resources to do so. |
Thanks for poking me on this!
It looks like your previous updates broke a bunch of the tests. Would you mind to check into those test failures to see whether you've introduced an unexpected bug?
That's fine!
To make sure I understand, you'd like to be able to check for the webdriver attribute as early as possible and not introduce the lag that comes with executing JS through Selenium? In that case your suggestion sounds reasonable. The test page can run the full set of tests and put the results of those tests somewhere that the JS we execute through Selenium can access (e.g., on the If we manage to get the current set of tests passing again, I'm happy to merge this without additional tests and add those in a follow-up PR. |
This merges the current upstream to this issue branch. Merge conflict in `automation/Extension/firefox/feature.js/index.js` fixed manually.
I merged remote upstream to see whether this caused the failed tests. Travis-CI tests do fail but it seems to be a problem with automated testing, e.g. with
Exactly. |
I wonder if this is related to the fact that you're loading
This means you have style issues that must be fixed. You can try running https://github.com/hhatto/autopep8 to fix these automatically, but looking at the outputs they seem pretty simple to fix by hand (just sorting issues for dependencies).
You're running Also just to note that you'll also need to run the dev install script (i.e., |
What?
Regarding to #448 this PR extends the OpenWPM instrumentation extension (WebExtension) to spoof the
navigator.webdriver
attribute tofalse
. This is done by overwritingwindow.navigator
with a JavaScript proxy.Why a JavaScript proxy?
Why not simply do a
Object.defineProperty(navigator, 'webdriver', {enumerable: true, value: false})
? Well, this changes thewebdriver
attribute but also the order of thewindow.navigator
attributes. That is, the overwrittenwebdriver
attribute is listed as first while normally listed later:becomes
Thus, it would still be detectable.
How does it work?
Simply set
spoof_navigator
toTrue
and the instrumentation extension registers the content script that spoofs thenavigator
object with a JavaScript proxy. This option defaults toFalse
.Other remarks
automation/Extension/firefox/spoof.js/index.js
andLICENSE
.