MuseScore's Response to @workedintheory's Comment

[sealsrock12]

After @workedintheory's threat to Xmader, an anonymous MuseScore user shared with me the following statement from David, the "Chief Product Officer at Musescore BVBA":

The user is responding is not a part of musescore.com team, but he is working in the company (I mean @workedintheory).

I saw some complaints about his behavior, but after reading all the thread, I don't see any unacceptable things (maybe I just didn't notice).

User called (Xmader) abused our API, create the pirate browser extension, and also stole some scores. We put a lot of effort to neutralize his code, and spent a lot of $ and time for this. His actions are total copyright infringement. So I suppose none of us should worry about his feelings.

[Xmader]

We put a lot of effort to neutralize his code, and spent a lot of $ and time for this. His actions are total copyright infringement. So I suppose none of us should worry about his feelings.

If the statement is real, does it mean my project costs them a lot of money and effort, so it's ok to send a kind of death-threat to me?

[jneen]

(edit: nevermind i misread the quoting lol)

[SchizoDuckie]

Aah yes, doubling down on stupid. They're all in I see.

[cadadr]

Confirms also that this is a company policy and not one rogue employee or two like some wish to portray the thing.

[TZer0]

Hey, Xmader, make sure to make a GoFundMe or something should something happen.

I'm sure plenty of people will lend you their support.

Honestly, the Audacity (heh) of these people....

[raynet]

Adding credential checking to the API (which should be there if it is not meant to be public) takes a day at most, so wouldn't call it lots of effort and money.

[Poikilos]

😆 Streisand effect initiated

[Xmader]

Hey, Xmader, make sure to make a GoFundMe or something should something happen.

I'm sure plenty of people will lend you their support.

Thanks.

Rather than money, more importantly, I need good lawyers for copyright, immigration status / status of political refugee

[AntiSol]

@Xmader It's not their area of expertise, but the EFF are a bunch of lawyers who do offer legal advice and assistance. It may be worth contacting them to see if there's anything they can do to help. It's probably unlikely that they'll be able to do much about immigration stuff but maybe they can connect you with somebody in that field. If I were you I'd send them an email :)

[nccerhostmaster]

The EFF does take an interest in the chilling effects of extreme legal enforcement on rights, so if approached from that perspective they might have some advice.

[Be-ing]

It's amazing how every time they say something, people get even more upset at them.

[nanocat-net]

Hey, Xmader, make sure to make a GoFundMe or something should something happen.
I'm sure plenty of people will lend you their support.

Thanks.

Rather than money, more importantly, I need good lawyers for copyright, immigration status / status of political refugee

Perhaps the Digital Freedom Fund (DFF) https://digitalfreedomfund.org - can help you to find somebody. They work in Europe but they are well connected.

[caughtquick]

It seems like MuseGroup is just digging a bigger whole to bury themselves in, the multiple audacity debacles, librescore threats and now this, it's insane.

[Remzi1993]

It's amazing how every time they say something, people get even more upset at them.

Yeah, this must be some special kind of ability. Every time they open their mouths or write something down it's a shit show. I have never seen anything like that before, this company is going to be hated by a lot of people. Maybe one day they will be hated more than Comcast, EA and Activision if they keep continuing the stupid shit.

[kirwinia]

If you're located in the US, @Xmader (we don't recall if you are or not, nor is it in our notes anywhere) then the ACLU would likely be interested in your problem here and may be in a position to offer you counsel. This kind of situation is along the lines of what they frequently assist with.

Best of luck in staying safe and continuing the good work!

[IkeKap]

I don't think they really intervene directly in any copyright case. Their bread and butter is protecting free speech from government entities. The EFF would probably be a better resource imo

[ghost]

Hey, Xmader, make sure to make a GoFundMe or something should something happen.
I'm sure plenty of people will lend you their support.

Thanks.

Rather than money, more importantly, I need good lawyers for copyright, immigration status / status of political refugee

When Youtube-dl was taken down, EFF helped the team with legal advices which leads to Github restoring the repo. Maybe they can help you with this one too.

[anartisticpanda]

We put a lot of effort to neutralize his code, and spent a lot of $ and time for this. His actions are total copyright infringement. So I suppose none of us should worry about his feelings.

If the statement is real, does it mean my project costs them a lot of money and effort, so it's ok to send a kind of death-threat to me?

The neutralization pretty much is just a 90 ish line inline script.

(function () {
        function executeIfLoaded(callback) {
            if (document.readyState === 'complete') {
                callback()
            } else {
                window.addEventListener('load', callback)
            }
        }
        function onReady(callback) {
            if (document.readyState !== "loading") {
                callback();
            } else {
                document.addEventListener("DOMContentLoaded", callback);
            }
        }
        function getIsUserScript(stack) {
            return stack.indexOf('userscript.html') > -1
        }
        var createElement = document.createElement;
        var open = window.open;
        var append = HTMLElement.prototype.append;
        var prepend = HTMLElement.prototype.prepend;
        var Img = window.Image;

        Object.defineProperty(HTMLElement.prototype, 'append', {
            writable: false,
            value: function () {
                var stack = new Error().stack;
                if (getIsUserScript(stack)) {
                    disable()
                    return null;
                }
                return append.apply(this, arguments)
            }
        })

        Object.defineProperty(HTMLElement.prototype, 'prepend', {
            writable: false,
            value: function () {
                var stack = new Error().stack;
                if (getIsUserScript(stack)) {
                    disable()
                    return null;
                }
                return prepend.apply(this, arguments)
            }
        })

        function disable() {
                        executeIfLoaded(function () {
                window["yaCounter46196364"].reachGoal('UNLEGAL_PAGE_SHOW', {
                    TrackingId: "0",
                    user_id: 0,
                    origin_url: window.location.href,
                })
            })
        }

        document.createElement = function() {
            var tag = arguments[0].toLowerCase()
            if (['img', 'iframe'].indexOf(tag) !== -1) {
                var stack = new Error().stack;
                if (getIsUserScript(stack)) {
                    disable()
                    return null;
                }
            }
            return createElement.apply(this, arguments);
        }
        window.open = function () {
            var stack = new Error().stack;
            if (getIsUserScript(stack)) return;
            return open.apply(this, arguments);
        }

        window.Image = function() {
            var stack = new Error().stack
            var stackChunks = stack.split('\n').slice(2);
            var lastLine = stackChunks.reverse()[0];
            var url = lastLine.split(' ').reverse()[0]
            var urlChunks = url.substr(1, url.length - 2).split(':')
            var resultUrl = urlChunks[0] + ':' + urlChunks[1]

            if (
                getIsUserScript(stack)
                || lastLine.split(' (eval').length >= 3
                || (lastLine.indexOf(' eval ') && resultUrl === location.href)                 || stackChunks.every(function (chunk) { return chunk.indexOf('a (https://c.amazon-adsystem.com/aax2/apstag.js:') > -1 })
            ) {
                disable()
                return null;
            }
            return new Img(arguments[0], arguments[1])
        }
    })();

All that code is doing is preventing a userscript from making Image objects, adding or creating any elements. It would probably take just a little work to bypass musescore can't do anything about the code running at document-start.

[user7230724]

Who cares what the stupid musescore developers have to say? Piracy will never die. It is not our problem that big companies want to make profit out of everything.

[Remzi1993]

We put a lot of effort to neutralize his code, and spent a lot of $ and time for this. His actions are total copyright infringement. So I suppose none of us should worry about his feelings.

If the statement is real, does it mean my project costs them a lot of money and effort, so it's ok to send a kind of death-threat to me?

The neutralization pretty much is just a 90 ish line inline script.

(function () {
        function executeIfLoaded(callback) {
            if (document.readyState === 'complete') {
                callback()
            } else {
                window.addEventListener('load', callback)
            }
        }
        function onReady(callback) {
            if (document.readyState !== "loading") {
                callback();
            } else {
                document.addEventListener("DOMContentLoaded", callback);
            }
        }
        function getIsUserScript(stack) {
            return stack.indexOf('userscript.html') > -1
        }
        var createElement = document.createElement;
        var open = window.open;
        var append = HTMLElement.prototype.append;
        var prepend = HTMLElement.prototype.prepend;
        var Img = window.Image;

        Object.defineProperty(HTMLElement.prototype, 'append', {
            writable: false,
            value: function () {
                var stack = new Error().stack;
                if (getIsUserScript(stack)) {
                    disable()
                    return null;
                }
                return append.apply(this, arguments)
            }
        })

        Object.defineProperty(HTMLElement.prototype, 'prepend', {
            writable: false,
            value: function () {
                var stack = new Error().stack;
                if (getIsUserScript(stack)) {
                    disable()
                    return null;
                }
                return prepend.apply(this, arguments)
            }
        })

        function disable() {
                        executeIfLoaded(function () {
                window["yaCounter46196364"].reachGoal('UNLEGAL_PAGE_SHOW', {
                    TrackingId: "0",
                    user_id: 0,
                    origin_url: window.location.href,
                })
            })
        }

        document.createElement = function() {
            var tag = arguments[0].toLowerCase()
            if (['img', 'iframe'].indexOf(tag) !== -1) {
                var stack = new Error().stack;
                if (getIsUserScript(stack)) {
                    disable()
                    return null;
                }
            }
            return createElement.apply(this, arguments);
        }
        window.open = function () {
            var stack = new Error().stack;
            if (getIsUserScript(stack)) return;
            return open.apply(this, arguments);
        }

        window.Image = function() {
            var stack = new Error().stack
            var stackChunks = stack.split('\n').slice(2);
            var lastLine = stackChunks.reverse()[0];
            var url = lastLine.split(' ').reverse()[0]
            var urlChunks = url.substr(1, url.length - 2).split(':')
            var resultUrl = urlChunks[0] + ':' + urlChunks[1]

            if (
                getIsUserScript(stack)
                || lastLine.split(' (eval').length >= 3
                || (lastLine.indexOf(' eval ') && resultUrl === location.href)                 || stackChunks.every(function (chunk) { return chunk.indexOf('a (https://c.amazon-adsystem.com/aax2/apstag.js:') > -1 })
            ) {
                disable()
                return null;
            }
            return new Img(arguments[0], arguments[1])
        }
    })();

All that code is doing is preventing a userscript from making Image objects, adding or creating any elements. It would probably take just a little work to bypass musescore can't do anything about the code running at document-start.

Funny thing is that if they don't want abuse (of certain things) then they should take care of it on the server side not at the client side! Everything on the client side is abusable and/or changeable.

For example this is code on the client side is also easy to circumvent.

[user7230724]

I don't have too much time too look into the code, but I was working on some advanced ad-blocking extensions in the past, so I have experience with circumventing things. Literally any client-side script can be abused by an extension. That's guaranteed by the very fundamental concepts of how EcmaScript works.

In general, what you have to do is to:

• Make sure you run the script in the document_start handler in the manifest file
• Disable CSP (content security policy) in the background page (you need extraHeaders options IIRC)
• Dispatch an inline event from the content script to work in the webpage's realm window (and to be able to use eval)
• In the inline event, proxify all relevant global constructors and their prototypes (via window.Proxy)
• Make sure you also proxify toString and Symbol.toPrimitive of each proxified object's prototype, so that the webpage's script cannot detect any difference
• Define non-configurable getter-only properties of the global object, so that you can override any webpage's global variables
• Don't forget to proxify createElement of the Document.prototype, so that if the webpage creates an inline iframe, you can inject your script in the iframe too
• Proxify ServiceWorker, Navigator.serviceWorker and ServiceWorkerRegistration, so that you can inject your script in the worker script too
• Also, it is always good to proxify addEventListener of EventTarget.prototype, just in case
• If the webpage is using an external script which executes an IIFE and you can't access the local scope of it, you can always use redircection in the background script to redirect the request to that script to some local extension script (use getUrl to obtain adhoc url for you local script)
• Override attachShadow of Element.prototype, so that you can traverse the shadow subtree before it is appended to the document, if needed
• Override XMLHttpRequest and fetch, of course

[PeterNjeim]

Please note that the new repo is hosted at: https://github.com/LibreScore/dl-librescore