Great info and links - thanks! I think this is an important topic that needs to be considered when adding code that somehow touches content-space. Thankfully, there have been some really smart people looking into this already, so Ubiquity (and other addons) can learn from previous mistakes and research.
It also shows that while these type of information leaks are getting fixed on the Firefox platform (eg, chrome:// URLs are no longer accessable unless whitelisted), its often up to extension authors to do things sensibly and with forethought. Whether or not this type of leak can be used malliciously or not is beside the point - if its not explicitly wanted (and expected) by the user, then its a security bug that needs fixing. - Blair On 8/5/09 4:30 PM, esquifit wrote: > There was some talk about this topic some time ago, see the links > below. I don't know how vulnerable Firefox is these days. The same > question arose repeatedly in the context of the Greasemonkey extension. > The GM developers eventually implemented some protection measures that > (I think) are now somehow handled by Firefox itself. Anthony > Lieuallen's Karma Blocker extension [1] was also very helpful against > this vulnerability. > > [1] https://addons.mozilla.org/en-US/firefox/addon/5230 > > There were essentially two approaches: > 1) When a message bar is displayed as a result of a script being > installed/discovered, the page can detect the vertical displacement > caused by the bar. For example a page could include the <link> tag > pointing to some (possible non existent) ubiuity script and check for > the vertical shift caused by the Ubiquity bar prompting for installation. > 2) Including a extension's chrome:// image resource from the web page. > Depending on whether the extension was installed or not, the included > image would have length 0 or greater than 0 and would thus affect the > width of some other element in the page. This could be measured by > javascript code. I think newer versions of Firefox disallow inclusion of > chrome:// images from web content. > > Here some interesting links: > > Detecting FireFox Extentions ha.ckers.org <http://ha.ckers.org> web > application security lab > http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/ > > Jeremiah Grossman: I know what you've got (Firefox Extensions) > http://jeremiahgrossman.blogspot.com/2006/08/i-know-what-youve-got-firefox.html > > Greasemonkey Detect > http://wearehugh.com/public/2006/07/detect-greasemonkey.html > > Greasemonkey Detectable? - greasemonkey-users | Grups de Google > http://groups.google.com/group/greasemonkey-users/browse_thread/thread/ac245dd9de7c9258/efb9091ddd9ff2dd?lnk=gst&q=Greasemonkey+Detectable#efb9091ddd9ff2dd > <http://groups.google.com/group/greasemonkey-users/browse_thread/thread/ac245dd9de7c9258/efb9091ddd9ff2dd?lnk=gst&q=Greasemonkey+Detectable#efb9091ddd9ff2dd> > > > > On Sat, May 9, 2009 at 1:05 AM, Blair McBride <[email protected] > <mailto:[email protected]>> wrote: > > > This would be a security bug if it were possible - it should never be > possible for web content to detect which extensions a user is running. > > - Blair > > > > On 4/5/09 1:42 PM, Alphawolf wrote: > > > > Hey there, > > > > is it possible to check with javascript if Ubiquity is installed in a > > user's Firefox? I'd like to display some install instructions to > those > > only who have it installed already. > > > > Regards, > > Oliver > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "ubiquity-firefox" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/ubiquity-firefox?hl=en -~----------~----~----~----~------~----~------~--~---
