From ca7af1318a6c95b8d6b3e40e0b073aed99e0a3f2 Mon Sep 17 00:00:00 2001 From: iTrooz Date: Fri, 14 Jun 2024 15:25:52 +0200 Subject: [PATCH 1/5] treat *.localhost/127.0.0.1 as secure --- extension/src/background.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/extension/src/background.js b/extension/src/background.js index 290f7b08..07f790fc 100644 --- a/extension/src/background.js +++ b/extension/src/background.js @@ -45,6 +45,11 @@ browser.notifications.onClicked.addListener(async notification => { // == CONTENT SCRIPT HANDLING +// source for what is a secure context: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts +function isSecureURL(url) { + return url.protocol === 'https:' || url.hostname === "127.0.0.1" || url.hostname === "localhost" || url.hostname.endsWith(".localhost") +} + // Detect manifest sent from content script browser.runtime.onMessage.addListener(async ({ manifestUrl, documentUrl, isSecureContext }, { tab }) => { manifestUrl = manifestUrl ? new URL(manifestUrl) : undefined @@ -59,7 +64,7 @@ browser.runtime.onMessage.addListener(async ({ manifestUrl, documentUrl, isSecur } // If both manifest and the page are loaded over HTTPS, and we are in a secure context, site is a valid web app - let isValidPwa = manifestUrl && manifestUrl.protocol === 'https:' && documentUrl.protocol === 'https:' && isSecureContext + let isValidPwa = manifestUrl && isSecureURL(manifestUrl) && isSecureURL(documentUrl) && isSecureContext // Force show or hide the page action depending on user preference const settingsDisplayPageAction = (await browser.storage.local.get(PREF_DISPLAY_PAGE_ACTION))[PREF_DISPLAY_PAGE_ACTION] From adda7786067112e592780015b5a8171c4ec6eaa5 Mon Sep 17 00:00:00 2001 From: iTrooz Date: Fri, 14 Jun 2024 15:26:31 +0200 Subject: [PATCH 2/5] comment about isSecureContext --- extension/src/background.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/src/background.js b/extension/src/background.js index 07f790fc..5cf423ae 100644 --- a/extension/src/background.js +++ b/extension/src/background.js @@ -64,7 +64,7 @@ browser.runtime.onMessage.addListener(async ({ manifestUrl, documentUrl, isSecur } // If both manifest and the page are loaded over HTTPS, and we are in a secure context, site is a valid web app - let isValidPwa = manifestUrl && isSecureURL(manifestUrl) && isSecureURL(documentUrl) && isSecureContext + let isValidPwa = manifestUrl && isSecureURL(manifestUrl) && isSecureURL(documentUrl) && isSecureContext // also check the browser implementation of secure context, just in case // Force show or hide the page action depending on user preference const settingsDisplayPageAction = (await browser.storage.local.get(PREF_DISPLAY_PAGE_ACTION))[PREF_DISPLAY_PAGE_ACTION] From 574c4411475d158fc5de3601e4590fcb3b90e14f Mon Sep 17 00:00:00 2001 From: iTrooz Date: Fri, 14 Jun 2024 15:28:58 +0200 Subject: [PATCH 3/5] clarify comment about PWA security --- extension/src/background.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/extension/src/background.js b/extension/src/background.js index 5cf423ae..b3600c88 100644 --- a/extension/src/background.js +++ b/extension/src/background.js @@ -63,8 +63,10 @@ browser.runtime.onMessage.addListener(async ({ manifestUrl, documentUrl, isSecur return } - // If both manifest and the page are loaded over HTTPS, and we are in a secure context, site is a valid web app - let isValidPwa = manifestUrl && isSecureURL(manifestUrl) && isSecureURL(documentUrl) && isSecureContext // also check the browser implementation of secure context, just in case + // check that the PWA is in a secure context. + // We do this through checking the URLs for https, or for special hosts (e.g. localhost). If both the manifest and the page pass these checks, the site is a valid web app + // Note: we also check the browser implementation of secure context with `isSecureContext`, just in case + let isValidPwa = manifestUrl && isSecureURL(manifestUrl) && isSecureURL(documentUrl) && isSecureContext // Force show or hide the page action depending on user preference const settingsDisplayPageAction = (await browser.storage.local.get(PREF_DISPLAY_PAGE_ACTION))[PREF_DISPLAY_PAGE_ACTION] From bf89f13b6fdaf7da08c45cad899abf28ab7a99ef Mon Sep 17 00:00:00 2001 From: iTrooz Date: Fri, 14 Jun 2024 15:47:29 +0200 Subject: [PATCH 4/5] fix linting --- extension/src/background.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extension/src/background.js b/extension/src/background.js index b3600c88..48943bd8 100644 --- a/extension/src/background.js +++ b/extension/src/background.js @@ -45,9 +45,9 @@ browser.notifications.onClicked.addListener(async notification => { // == CONTENT SCRIPT HANDLING -// source for what is a secure context: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts -function isSecureURL(url) { - return url.protocol === 'https:' || url.hostname === "127.0.0.1" || url.hostname === "localhost" || url.hostname.endsWith(".localhost") +// source for what is a secure context: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts +function isSecureURL (url) { + return url.protocol === 'https:' || url.hostname === '127.0.0.1' || url.hostname === 'localhost' || url.hostname.endsWith('.localhost') } // Detect manifest sent from content script From 658b0c35bea3205ce31c1e030d12ccd06423f060 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filip=20=C5=A0tamcar?= Date: Wed, 10 Jul 2024 19:49:46 +0200 Subject: [PATCH 5/5] Slightly change the comment wording --- extension/src/background.js | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/extension/src/background.js b/extension/src/background.js index 48943bd8..10f9b632 100644 --- a/extension/src/background.js +++ b/extension/src/background.js @@ -45,7 +45,8 @@ browser.notifications.onClicked.addListener(async notification => { // == CONTENT SCRIPT HANDLING -// source for what is a secure context: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts +// Check if the URL is considered a secure context +// Docs: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts function isSecureURL (url) { return url.protocol === 'https:' || url.hostname === '127.0.0.1' || url.hostname === 'localhost' || url.hostname.endsWith('.localhost') } @@ -63,9 +64,10 @@ browser.runtime.onMessage.addListener(async ({ manifestUrl, documentUrl, isSecur return } - // check that the PWA is in a secure context. - // We do this through checking the URLs for https, or for special hosts (e.g. localhost). If both the manifest and the page pass these checks, the site is a valid web app - // Note: we also check the browser implementation of secure context with `isSecureContext`, just in case + // Check if the web app is loaded over a secure context + // We do this through checking the URLs for https, or for special hosts (e.g. localhost) + // We also check the browser implementation of secure context with `isSecureContext`, just in case + // If both the document and the current page pass these checks, the site is a valid web app let isValidPwa = manifestUrl && isSecureURL(manifestUrl) && isSecureURL(documentUrl) && isSecureContext // Force show or hide the page action depending on user preference