Giter VIP home page Giter VIP logo

how-fugu-is-the-web's Introduction

Project Fugu 🐡 API Detector

An extension to shine light on the Project Fugu 🐡 APIs web apps try to use.

Screen Shot 2021-06-22 at 16 45 53

How it works

API data

The raw data for the different Project Fugu 🐡 APIs is curated in the fugu-api-data project, so keeping the list of APIs updated is a straightforward task independent of the extension.

API detection

The extension monitors the requests a page makes via the chrome.webRequest.onBeforeRequest.addListener() API. Each response body, grouped by main frame, JavaScript, and Web App Manifest response bodies, is then run through a set of regular expressions like /navigator\.hid\.requestDevice\s*\(/g to determine if the code hints at a Project Fugu 🐡 API potentially being used.

Browser support detection

Most Project Fugu 🐡 APIs are easily feature-detectable by checking for the existence of interfaces or properties, for example, as in 'BarcodeDetector' in window. Other APIs require a ServiceWorkerRegistration, but luckily the popup window in Manifest V3 extensions uses a service worker, so it can be used via an IIFE that can be run in the client or the service worker. An example is (async () => 'periodicSync' in (await navigator.serviceWorker?.ready || self.registration))().

The support categories are listed below:

  • ✅ Supported by your browser.
  • 🚫 Not supported by your browser.
  • 🤷 Support unknown for your browser. (The only way to know would be user-agent sniffing.)

Deep-linking

The extension makes use of Text Fragment URLs to deep-link to the occurrence of a detected API. The source code gets rendered in a helper HTML page controlled by the extension, since it is impossible to directly link to view-source: protocol links and non-document resources with Text Fragment URLs.

Limitations

  • The chrome.webRequest.onBeforeRequest.addListener() API unfortunately does not "see" requests that are handled by a service worker (crbug.com/766433). There are three possible workarounds for this:
    • Hard-reload via /ctrl+shift+r.
    • Open DevTools and check the Bypass for network checkbox in the Service Worker section of the Application tab.
    • Clear storage in the Storage section of the Application tab.
  • The extension only does static code analysis, that is, there is no guarantee that the app actually uses the code snippet where a Project Fugu 🐡 API was detected.
  • Heavily minified code will not be detected. For example, if an app minifies navigator.clipboard.write() to const nav = navigator; nav.clipboard.write(), the extension will not detect this.

License

Apache 2.0.

how-fugu-is-the-web's People

Contributors

oliverdunk avatar tomayac avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

0xblockchainx0 oliverdunk

how-fugu-is-the-web's Issues

Message length exceeded maximum allowed length

In popup.html window on https://www.figma.com/files/732752601638635881/recent?fuid=1139501734446669134:

Error handling response: TypeError: Error in invocation of tabs.sendMessage(integer tabId, any message, optional object options, optional function callback): Message length exceeded maximum allowed length.
    at chrome-extension://heiejpijidominodkblpgegphceihbal/background.js:226:26
background.js:232

Error handling response: TypeError: Error in invocation of tabs.sendMessage(integer tabId, any message, optional object options, optional function callback): Message length exceeded maximum allowed length.
    at chrome-extension://heiejpijidominodkblpgegphceihbal/background.js:226:26

It seems to have two side effects

After activating in Chrome incognito mode, Google search histories are shared in the synced account

I'm using Chrome(110.0.5481.178) and my Google account is synced.
And let the extension be activated in incognito mode.
Then after I search on google.com in incognito tab, I can find the search history on search field of google.com in normal tab like I searched in normal tab.
Other browser histories don't seem to be shared as expected.

Disturbing OAuth 2.0 flow

Regardless of activation in incognito mode, it disturbs OAuth flow so signing in services like GitHub or Postman fails.

I don't know if these are inevitable to work and I'm not even sure the extension is the cause.
So sorry about that if I'm wrong :)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.