[RESOLVED] samy.pl bypasses NS content blocking (Java)
Re: samy.pl bypasses NS content blocking (Java)
Wait, so NoScript is toggling the global Java setting? Aren't all plugin instances aborted when a plugin gets deactivated?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101124 Firefox/4.0b8pre
- Giorgio Maone
- Site Admin
- Posts: 9472
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: samy.pl bypasses NS content blocking (Java)
Nope. The enabled/disabled setting is checking only at instantiation time.dhouwn wrote:Wait, so NoScript is toggling the global Java setting? Aren't all plugin instances aborted when a plugin gets deactivated?
However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and without disabling the plugin.
I still can't believe it works, but it does, and it takes 1 millisecond on Fx 3.6 and 5 milliseconds on Fx 4 (weird, probably a JIT anti-optimization). I'm still running in "debug mode", though, therefore I expect these numbers to be slightly different (better) in production, but they're already excellent.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Re: samy.pl bypasses NS content blocking (Java)
What is it?Giorgio Maone wrote:However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and without disabling the plugin.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
- Giorgio Maone
- Site Admin
- Posts: 9472
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: samy.pl bypasses NS content blocking (Java)
al_9x wrote:What is it?Giorgio Maone wrote:However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and without disabling the plugin.
Code: Select all
(function() {
const w = window;
const k = function() {};
w.watch('java', k); // wonderful trick reducing w.java resolution by a 100 factor,
w.watch('Packages', k); // by skipping InitJavaProperties() and undeffing Packages and java
const g = function() {
const d = w.document;
const o = d.createElement("object");
o.type = "application/x-java-vm";
o.data = "data:" + o.type + ",";
d.body.appendChild(o);
d.body.removeChild(o);
w.__defineGetter__("java", k);
w.__defineGetter__("Packages", k);
}
w.__defineGetter__("java", g);
w.__defineGetter__("Packages", g);
})()
actually it looks like I talked too fast. The code above does reduce the execution time by two orders of magnitude, but unless I disable the plugin the JVM gets instantiated anyway
So I'll end combining plugin disablement and the trick above to keep the execution time well under 10 milliseconds while effectively intercepting the Java properties without instantiating the JVM.
EDIT 2
Here's the reason why I was mislead about the extent of the trick above. It works fully on Fx 3.6 (speedup + JVM prevention), but only grants the speedup on Minefield, where the JVM instantiation can only be prevented by disabling the plugin.
However the overhead of the plugin status management is negligible enough not to grant a separate codepath for the 1.9.x branch.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Re: samy.pl bypasses NS content blocking (Java)
Giorgio Maone wrote:It works fully on Fx 3.6 (speedup + JVM prevention)
Code: Select all
<script>
watch('java', function() {});
</script>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
- Giorgio Maone
- Site Admin
- Posts: 9472
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: samy.pl bypasses NS content blocking (Java)
This doesn't for me, but I run at a very "strange" time (when the documentElement has been created but no script has run yet), so probably the timing plays a role in what is ultimately a bug which has likely been fixed on trunk. However, as I said, I'm ending to temporarily disable the plugin anyway.al_9x wrote:Giorgio Maone wrote:It works fully on Fx 3.6 (speedup + JVM prevention)this starts the vm on 3.6 for meCode: Select all
<script> watch('java', function() {}); </script>
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
- Giorgio Maone
- Site Admin
- Posts: 9472
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: samy.pl bypasses NS content blocking (Java)
Please check latest development build (2.0.6rc5).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Re: samy.pl bypasses NS content blocking (Java)
Confirmed. The only possible problem is lack of notification. On allowed pages you just get the puzzle, and on partial not even that. Maybe that's enough considering the likelihood of liveconnect actually being used, but probably the right thing here is an alert bar offering to allow java and optionally reload the page.Giorgio Maone wrote:Please check latest development build (2.0.6rc5).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
Re: samy.pl bypasses NS content blocking (Java)
If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
- Giorgio Maone
- Site Admin
- Posts: 9472
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: samy.pl bypasses NS content blocking (Java)
It slipped in the very early rc5 on my site (lasted 5 minutes or so) and was removed before going in AMO's update channel, because it was on a performance-critical code path and didn't belong in a final RC.al_9x wrote:If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Re: samy.pl bypasses NS content blocking (Java)
Is a consoleDump test really a performance hit? Being able to optionally see whether or not this interception takes place and also how long it takes, is helpful. I don't see the harm in it, it's effectively a noop when off (default)Giorgio Maone wrote:It slipped in the very early rc5 on my site (lasted 5 minutes or so) and was removed before going in AMO's update channel, because it was on a performance-critical code path and didn't belong in a final RC.al_9x wrote:If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101122 Firefox/3.6.13
Re: samy.pl bypasses NS content blocking (Java)
In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?
Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.
Code: Select all
<iframe name="A" style="display:none"></iframe>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101130 Firefox/3.6.13
- Giorgio Maone
- Site Admin
- Posts: 9472
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: samy.pl bypasses NS content blocking (Java)
It's relatively expensive and in some circumstances (which I coudln't reproduce reliably) it fires a JVM.al_9x wrote:In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?
No idea, investigating. Does it happen also on a reduced test case (the iframe only)? Does disabling liveconnect interception change anything?al_9x wrote: Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.Code: Select all
<iframe name="A" style="display:none"></iframe>
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Re: samy.pl bypasses NS content blocking (Java)
Is it possible to be notfified and cache the enabled state?Giorgio Maone wrote:It's relatively expensive and in some circumstances (which I coudln't reproduce reliably) it fires a JVM.al_9x wrote:In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?
Here's a simple page:Giorgio Maone wrote:No idea, investigating. Does it happen also on a reduced test case (the iframe only)? Does disabling liveconnect interception change anything?al_9x wrote: Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.Code: Select all
<iframe name="A" style="display:none"></iframe>
Code: Select all
<a href="#" onclick="alert(java.lang.Math.PI);">PI</a>
<iframe></iframe>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
- Giorgio Maone
- Site Admin
- Posts: 9472
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: samy.pl bypasses NS content blocking (Java)
Unfortunately not. I checked the "plugin-list-updated" notifications (which, together with "plugin-crashed" is the only observable event fired by PluginHost), but it is triggered only by navigator.plugins.refresh().al_9x wrote: Is it possible to be notfified and cache the enabled state?
I can't observe this. Tested both on Minefield and Firefox 3.6.12 (default NoScript options + extended embedding restrictions); all it happens when I click the link is the URL changing to (...)# and the Blocked Objects menu being added of Java-enablement options.al_9x wrote: Also, I noticed that after clicking the liveconnect link in http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.Code: Select all
<iframe name="A" style="display:none"></iframe>
Here's a simple page:If you disable interception or disable Java, it does not happen.Code: Select all
<a href="#" onclick="alert(java.lang.Math.PI);">PI</a> <iframe></iframe>
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12