Async configuration retrieval allows for easy full cross-browser bypass techniques.

[hackademix]

First of all, thanks for this interesting project. I do hope we can cooperate in the future to make the web safer.

JS Restrictor currently uses async messaging to retrieve the wrapping configuration depending on the current URL in the document_start.js content script.

This allows for easy cross-browser bypass of all the restrictions (beside browser-specific ones like issue #25), because page scripts can be run before JS Restrictor's injection and sabotage it.

Proof of concept here, based on https://polcak.github.io/jsrestrictor/test/test.html with a twist.

[polcak]

Hello,

unfortunately https://maone.net/test/jsrestrictorbypass/ gives me 404 error.

By any chance, is this the same issue as described in #40 (comment)?

[hackademix]

Sorry for the typo, it's https://maone.net/test/jsrbypass/ - fixed also in the original report.

[polcak]

Thank you. The code (a first head child):

<script>

   let p = Performance;
   window.__defineGetter__("Performance", function() {
           
           window.__defineGetter__("Performance", function() { return p; });
           console.log(new Error().stack);
           if (confirm("Do you want to bypass JavaScript Restrictor?")) throw "JavaScript Restrictor bypassed!";
           return p;
        });

</script>

[polcak]

Thanks Giorgio for reporting #40 (comment). AFAICS this is a duplicate of #40. Hopefully, you persuade browser developers to implement the required API.