Uint8Array - related issues in Firefox content script (sandboxed environment) #1651
Replies: 7 comments 1 reply
-
Hello 👋 I'm a bit confused by this issue as the Web Crypto API does not return openpgpjs/src/crypto/hash/index.js Line 63 in 400b163 I don't see any reason why taking a subarray or slice of such Uint8Array s would not be allowed - have you raised an issue with Firefox?
|
Beta Was this translation helpful? Give feedback.
-
I can understand the mechanics of it -- when calling
If I remember correctly, it happened when serializing params in |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Do you have a stack trace? This code comes from a helper functions so it's not entirely clear in which context this would break.
As far as I can tell, we don't use this property anywhere. E.g. in the case of key generation we take the modulus from base64 and convert it to a Uint8Array ourselves, here: openpgpjs/src/crypto/public_key/rsa.js Lines 181 to 184 in bb0c1f8 |
Beta Was this translation helpful? Give feedback.
-
Btw, a tangential thought; there is another API that we're using that does return Uint8Arrays, namely |
Beta Was this translation helpful? Give feedback.
-
Yes, it is pretty much possible that these arrays are coming from |
Beta Was this translation helpful? Give feedback.
-
Right. So - in that case, patching If that does help, I would indeed report an issue to Firefox as well |
Beta Was this translation helpful? Give feedback.
-
In this setup we have 2 different Uint8Array types depending on where they were initialized:
openpgp.js
(Sandbox) or Web Cryptography API.The sandboxed arrays are only recognizable as
globalThis.Uint8Array
, while the ones returned by Web Cryptography API are(window.)Uint8Array
So we currently need to patch
openpgp.js
for every occurrence of the pattern likex instanceof Uint8Array
replacing it with
x instanceof Uint8Array || x instanceof globalThis.Uint8Array
I also found a helper function
is_bytes
in the codebase.Can we fix it like this and call it from all the other places?
There are more details of this research: FlowCrypt/flowcrypt-browser#5013 (comment)
There is also an issue calling
subarray
andslice
methods on(window.)Uint8Array
in this setup -- permission denied.It's better to not use these methods or create a sandbox copy of Uint8Array on arrays returned from Web Cryptography API
Beta Was this translation helpful? Give feedback.
All reactions