Expose an option to disable //#sourceURL= pragma handling
Categories
(Core :: JavaScript Engine, enhancement, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox78 | --- | fixed |
People
(Reporter: sarah, Assigned: loganfsmyth)
Details
Attachments
(2 files)
Network stack trace from akam get request
Background: while investigating tracking scripts, I discovered that //# sourceURL can be used to alter the script url shown in the JS stack trace, which is an issue for measurement - https://github.com/mozilla/OpenWPM/issues/597. I have now discovered, this also affects network stack trace.
Steps to reproduce:
- go to www.mattressfirm.com (this problem isn't specific to mattressfirm.com it is just a site where you can see this behavior - we could make a test / demo site if needed)
- observe in devtools network tab a script is loaded from forter.com (something like
https://15912b5d40f0.cdn4.forter.com/sn/15912b5d40f0/script.js) - filter network tab with string "akam" you'll observe a network request, something like
https://media-akam.licdn.com/cdo/cdxs/r20.gif?rnd=1586462843566 - click on request and then stack trace and see that the call is attributed to
(program):2
Expected result: call is attributed to https://15912b5d40f0.cdn4.forter.com/sn/15912b5d40f0/script.js
This result holds after I change devtools.source-map.client-service.enabled and devtools.debugger.source-maps-enabled to false.
If you view the source of the forter script, you can see the end of it is //# sourceURL=(program):2
If you want additional evidence that the request to media-akam came from the forter script, in this gist I have deobfuscated the script and you can see the forter script assembling the call to the media-akam domain here.
Being able to attribute networks and interconnections of domains, scripts, and requests is important for tracking research. Although we probably don't want to change the sourceURL behavior by default, it would be good to have a pref with which to alter it.
(apologies in advance if this pref exists and I just haven't found it yet).
I found these other bugs that may be relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=1622158 and https://bugzilla.mozilla.org/show_bug.cgi?id=1224078
|
||
Comment 1•6 years ago
|
||
Thanks for the report!
I can't see any requests when filtering the Network panel using akam so, it would be great if you could provide simple & specific test page.
Honza
|
Reporter | |
Comment 2•6 years ago
|
||
Sorry the test case didn't work for you. Could be lots of reasons. I made a test page: http://www.sarahbird.org/tests/sourceURL/
|
|
||
Comment 3•5 years ago
|
||
Thanks for the test case!
If I understand this report correctly, you are looking for a pref that we could use to disable support for # sourceURL directive entirely, correct?
Honza
|
|
Reporter | |
Comment 4•5 years ago
•
|
||
are looking for a pref that we could use to disable support for # sourceURL directive entirely?
That sounds right. But I don’t have any particular solution in mind. My need is to be able to attribute activity* back to its source and not have the originator be able to mask themselves.
`* For activity, I am currently considering network / webRequest & JavaScript API access. But there may be things that I haven’t yet thought of. Flagging :englehardt in case he has other activity that we should be mindful of.
We can share more information on how OpenWPM instrument things if that would be useful.
|
|
||
Comment 5•5 years ago
|
||
Logan, you've been doing some analysis of # sourceURL recently. Is there a good simple way to disable support for it?
Honza
|
Assignee | |
Comment 6•5 years ago
|
||
sourceURL and sourceMappingURL are both related to debugging but independent features, so the source-map feature flag does not affect it. The easiest option to disable it would be to add an option into SpiderMonkey itself to disable exposing the sourceURL value. It has to be in SpiderMonkey because new Error().stack also includes the sourceURL URL, it's not just the stack traces exposed via the debugger UI that are aware of this URL.
|
|
Reporter | |
Comment 7•5 years ago
|
||
And, for what it’s worth, new Error().stack is how we get meta data as we instrument the JS API in OpenWPM: we listen for calls to APIs, then if one of interest is hit, we throw an error to get the stack trace to pull info about what script called the API. This is the basis for how we detect fingerprinting.
|
||
Comment 8•5 years ago
|
||
I have some idea how OpenWPM as a crawler works, but will follow up async to learn more.
Sarah, if I understand correctly, you need a way to disable sourceURL support for running OpenWPM to get access to the raw stack data – correct?
|
|
Reporter | |
Comment 9•5 years ago
|
||
:digitarald - good talking today. I would like to disable anything that might interfere with the ability to locate the origin of JS API requests and network requests.
|
|
||
Comment 10•5 years ago
|
||
Logan, per comment 6, should we move it over to the JS component?
|
|
Assignee | |
Comment 11•5 years ago
|
||
Yep, moving it sounds good.
@Sarah Would it be reasonable if the option also disabled sourcemaps? I've been trying to decide how broadly the option should apply. On one side it could literally only affect new Error().stack , and in the middle it could disable specifically //#sourceURL= and at the other extreme it could disable all //#sourceXX= pragma parsing.
|
|
Reporter | |
Comment 12•5 years ago
|
||
Would it be reasonable if the option also disabled sourcemaps?
Yes! I think it would be confusing otherwise.
(I didn't mention sourceMappingURL as I hadn't investigated whether it has the same effect)
|
|
Assignee | |
Comment 13•5 years ago
|
||
sourceMappingURL will only affect DevTools, not new Error().stack so that's why I ask, but if the objective is essentially "show me the files without manipulation" in general for both devtools and new Error().stack then disabling both pragma types makes sense I think.
|
||
Comment 14•5 years ago
|
||
The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 15•5 years ago
|
||
These pragmas can be used to influence stack trace filenames, and to affect
how and where files show up in developer tools. In some circumstances, it can
be nice to disable allof that functionality in order to ensure that you get
the stack trace and debug information as SpiderMonkey sees it.
|
||
Updated•5 years ago
|
|
||
Comment 16•5 years ago
|
||
Sorry for the delay here in chiming in here, and thanks for picking this up so quickly!
As Sarah mentions, we grab the call stack in two places:
- For js calls by throwing an error in overwritten getter/setter methods we use to instrument built-in JS APIs
- For http requests by grabbing the stack in an
http-on-opening-requestobserver.
It sounds like these changes will cover the new Error().stack case. Will they also cover the stack accessed via Components.stack? See: https://github.com/mozilla/OpenWPM/blob/efb191a7f46e2eb0b2a531ca50711b6620df2372/automation/Extension/firefox/src/privileged/stackDump/OpenWPMStackDumpChild.jsm#L122.
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 17•5 years ago
|
||
Will they also cover the stack accessed via Components.stack?
Yep, this should all be addressed by this change.
|
|
Reporter | |
Comment 18•5 years ago
|
||
Is it possible that this patch will get merged this week, I’d like to run a crawl with this new functionality enabled.
|
||
Comment 19•5 years ago
|
||
|
||
Comment 20•5 years ago
|
||
| bugherder | ||
Description
•