Extension has issues with CSP and Samesite origin

[DrWhax]

Hey, awesome idea!

I'm trying to test it out with some co-workers but it doesn't seem to ever load any data from the wayback machine. I use firefox 78.10.0.esr with extensions, but it also doesn't load in a firefox without any extensions installed, except the vandal one.

When I open the debugger of the browser I see the following:

Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Inconsolata-Bold.eot?#iefix (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Inconsolata-Bold.woff (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Inconsolata-Bold.ttf (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Inconsolata-Bold.svg#Inconsolata-Bold (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Inconsolata-Regular.eot?#iefix (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Inconsolata-Regular.woff (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Inconsolata-Regular.ttf (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Inconsolata-Regular.svg#Inconsolata-Regular (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/SourceSans3-Bold.woff2 (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/SourceSans3-Bold.woff (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/SourceSans3-Semibold.woff2 (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/SourceSans3-Semibold.woff (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/SourceSans3-Regular.woff2 (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/SourceSans3-Regular.woff (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Cousine-Regular.eot?#iefix (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Cousine-Regular.woff (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Cousine-Regular.ttf (“font-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at chrome-extension://dd031431-c709-45bc-b948-c36b367ef746/build/fonts/Cousine-Regular.svg#Cousine-Regular (“font-src”).

The CSP configuration will cause issues in Firefox,. However, the same website I tested in chrome worked for me: nu.nl. but another like fox-it.com hasn't because of X-frame-options being "sameorigin".

Not sure what the right way is on fixing this and I haven't dived into the code, but maybe not load original websites in that frame as a lot of it would break?

[vegetableman]

@DrWhax The issue with fox-it.com is due to the URL being cached through service workers, not due to X-frame-options header. Vandal ignores X-frame-options. You can open devtools on fox-it.comand check Bypass for networkon Application -> Service Workers and it will work. When service workers are enabled, certain requests can no longer be intercepted by Vandal. Although I do need to do a better job of displaying appropriate error in such cases.

As for the mentioned CSP issue, those files are only supposed to be invoked in chrome and not for firefox. firefox doesn't recognize the chrome-extension:// url format, hence the error. The issue is not reproducible in latest versions of firefox 88.0.1 and I have never heard of Firefox Extended Support Release before 🙂. So, I will have to install it and see if I can fix the issue.

maybe not load original websites in that frame as a lot of it would break?

The core of Vandal navigation is the Iframe. In most cases, it's thrives on it and in other cases, it's limited by it. The tool is not meant for everyone. May be I should state it more explicitly on the Limitations section in the Readme. In your case, for now, using wayback machine (https://web.archive.org) is the best option.

[vegetableman]

To get to the core of the issue here, for me to reference back and in case I wasn't clear enough (sorry about that), the website URL and it's response headers are fetched from cache by service workers. So, Vandal is no longer able to intercept the request through webRequest and remove X-Frame-Options header from the response, causing the page to not render in the iframe.

Related issue: https://bugs.chromium.org/p/chromium/issues/detail?id=766433

Potential solutions:

• Display appropriate error if possible.
• Find a way to bypass service workers (not ideal)