Page 2 of 3
Re: samy.pl bypasses NS content blocking (Java)
Posted: Wed Nov 24, 2010 8:20 pm
by dhouwn
Wait, so NoScript is toggling the global Java setting? Aren't all plugin instances aborted when a plugin gets deactivated?
Re: samy.pl bypasses NS content blocking (Java)
Posted: Wed Nov 24, 2010 8:38 pm
by Giorgio Maone
dhouwn wrote:Wait, so NoScript is toggling the global Java setting? Aren't all plugin instances aborted when a plugin gets deactivated?
Nope. The enabled/disabled setting is checking only at instantiation time.
However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and
without disabling the plugin.
I still can't believe it works, but it does, and it takes 1 millisecond on Fx 3.6 and 5 milliseconds on Fx 4 (weird, probably a JIT anti-optimization). I'm still running in "debug mode", though, therefore I expect these numbers to be slightly different (better) in production, but they're already excellent.
Re: samy.pl bypasses NS content blocking (Java)
Posted: Wed Nov 24, 2010 8:43 pm
by al_9x
Giorgio Maone wrote:However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and without disabling the plugin.
What is it?
Re: samy.pl bypasses NS content blocking (Java)
Posted: Wed Nov 24, 2010 9:07 pm
by Giorgio Maone
al_9x wrote:Giorgio Maone wrote:However, this is moot because I've just found a wonderful hack which allows me to intercept the java properties without triggering the JVM and without disabling the plugin.
What is it?
Code: Select all
(function() {
const w = window;
const k = function() {};
w.watch('java', k); // wonderful trick reducing w.java resolution by a 100 factor,
w.watch('Packages', k); // by skipping InitJavaProperties() and undeffing Packages and java
const g = function() {
const d = w.document;
const o = d.createElement("object");
o.type = "application/x-java-vm";
o.data = "data:" + o.type + ",";
d.body.appendChild(o);
d.body.removeChild(o);
w.__defineGetter__("java", k);
w.__defineGetter__("Packages", k);
}
w.__defineGetter__("java", g);
w.__defineGetter__("Packages", g);
})()
:
actually it looks like I talked too fast. The code above does reduce the execution time by two orders of magnitude, but unless I disable the plugin the JVM gets instantiated anyway
So I'll end combining plugin disablement and the trick above to keep the execution time well under 10 milliseconds while effectively intercepting the Java properties without instantiating the JVM.
EDIT 2
Here's the reason why I was mislead about the extent of the trick above. It works fully on Fx 3.6 (speedup + JVM prevention), but only grants the speedup on Minefield, where the JVM instantiation can only be prevented by disabling the plugin.
However the overhead of the plugin status management is negligible enough not to grant a separate codepath for the 1.9.x branch.
Re: samy.pl bypasses NS content blocking (Java)
Posted: Wed Nov 24, 2010 10:42 pm
by al_9x
Giorgio Maone wrote:It works fully on Fx 3.6 (speedup + JVM prevention)
Code: Select all
<script>
watch('java', function() {});
</script>
this starts the vm on 3.6 for me
Re: samy.pl bypasses NS content blocking (Java)
Posted: Wed Nov 24, 2010 10:48 pm
by Giorgio Maone
al_9x wrote:Giorgio Maone wrote:It works fully on Fx 3.6 (speedup + JVM prevention)
Code: Select all
<script>
watch('java', function() {});
</script>
this starts the vm on 3.6 for me
This doesn't for me, but I run at a very "strange" time (when the documentElement has been created but no script has run yet), so probably the timing plays a role in what is ultimately a bug which has likely been fixed on trunk. However, as I said, I'm ending to temporarily disable the plugin anyway.
Re: samy.pl bypasses NS content blocking (Java)
Posted: Wed Nov 24, 2010 11:12 pm
by Giorgio Maone
Please check
latest development build (2.0.6rc5).
Re: samy.pl bypasses NS content blocking (Java)
Posted: Thu Nov 25, 2010 1:02 am
by al_9x
Confirmed. The only possible problem is lack of notification. On allowed pages you just get the puzzle, and on partial not even that. Maybe that's enough considering the likelihood of liveconnect actually being used, but probably the right thing here is an alert bar offering to allow java and optionally reload the page.
Re: samy.pl bypasses NS content blocking (Java)
Posted: Thu Nov 25, 2010 1:44 am
by al_9x
If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
Re: samy.pl bypasses NS content blocking (Java)
Posted: Thu Nov 25, 2010 1:49 am
by Giorgio Maone
al_9x wrote:If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
It slipped in the very early rc5 on my site (lasted 5 minutes or so) and was removed before going in AMO's update channel, because it was on a performance-critical code path and didn't belong in a final RC.
Re: samy.pl bypasses NS content blocking (Java)
Posted: Thu Nov 25, 2010 2:12 am
by al_9x
Giorgio Maone wrote:al_9x wrote:If you change the code, please bump the version. Why did you remove the logging in the new rc5 (final)?
It slipped in the very early rc5 on my site (lasted 5 minutes or so) and was removed before going in AMO's update channel, because it was on a performance-critical code path and didn't belong in a final RC.
Is a consoleDump test really a performance hit? Being able to optionally see whether or not this interception takes place and also how long it takes, is helpful. I don't see the harm in it, it's effectively a noop when off (default)
Re: samy.pl bypasses NS content blocking (Java)
Posted: Sat Dec 04, 2010 12:29 am
by al_9x
In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?
Also, I noticed that after clicking the liveconnect link in
http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.
Code: Select all
<iframe name="A" style="display:none"></iframe>
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
Re: samy.pl bypasses NS content blocking (Java)
Posted: Sat Dec 04, 2010 12:34 am
by Giorgio Maone
al_9x wrote:In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?
It's relatively expensive and in some circumstances (which I coudln't reproduce reliably) it fires a JVM.
al_9x wrote:
Also, I noticed that after clicking the liveconnect link in
http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.
Code: Select all
<iframe name="A" style="display:none"></iframe>
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
No idea, investigating. Does it happen also on a reduced test case (the iframe only)? Does disabling liveconnect interception change anything?
Re: samy.pl bypasses NS content blocking (Java)
Posted: Sat Dec 04, 2010 12:51 am
by al_9x
Giorgio Maone wrote:al_9x wrote:In 2.0.8rc1, it looks like the plugins toggling and liveconnect injection take place even when the Java plugin is disabled. Is that right? Would it not make sense to check before calling interceptLiveConnect? Is it an expensive operation? Perhaps it's possible to be notified and cache the Java state?
It's relatively expensive and in some circumstances (which I coudln't reproduce reliably) it fires a JVM.
Is it possible to be notfified and cache the enabled state?
Giorgio Maone wrote:al_9x wrote:
Also, I noticed that after clicking the liveconnect link in
http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.
Code: Select all
<iframe name="A" style="display:none"></iframe>
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
No idea, investigating. Does it happen also on a reduced test case (the iframe only)? Does disabling liveconnect interception change anything?
Here's a simple page:
Code: Select all
<a href="#" onclick="alert(java.lang.Math.PI);">PI</a>
<iframe></iframe>
If you disable interception or disable Java, it does not happen.
Re: samy.pl bypasses NS content blocking (Java)
Posted: Sat Dec 04, 2010 12:11 pm
by Giorgio Maone
al_9x wrote:
Is it possible to be notfified and cache the enabled state?
Unfortunately not. I checked the "plugin-list-updated" notifications (which, together with "plugin-crashed" is the only observable event fired by PluginHost), but it is triggered only by navigator.plugins.refresh().
al_9x wrote:
Also, I noticed that after clicking the liveconnect link in
http://samy.pl/natpin/ , the page navigates to # (expected), and "about:blank" is shown in the NS menu. It has something to do with the empty iframe on the page.
Code: Select all
<iframe name="A" style="display:none"></iframe>
Normally, about:blank is excluded, but somehow the liveconnect blocking is changing this.
Here's a simple page:
Code: Select all
<a href="#" onclick="alert(java.lang.Math.PI);">PI</a>
<iframe></iframe>
If you disable interception or disable Java, it does not happen.
I can't observe this. Tested both on Minefield and Firefox 3.6.12 (default NoScript options + extended embedding restrictions); all it happens when I click the link is the URL changing to (...)# and the Blocked Objects menu being added of Java-enablement options.