Whitelist not really whitelisting everything

[maricn]

Expected Behavior

Any page at my company's Atlassian Confluence platform opens. It is private, so I can't link to it (I also redacted the sensitive links).

I would expect that whitelisting the page would help, but it doesn't.

Current Behavior

The page gets stuck with the loader shown, and never fully opens.

Workaround

1. Completely disable Chameleon plugin.
2. Reload the page.
3. Reenable Chameleon plugin.

Since I have applied that workaround, the issue doesn't appear again. I drafted this issue when I just figured it out, but I thought I should bring it to your attention anyways since I have some logs.

Relevant settings

The domain is whitelisted and the whitelist is recognized (Chameleon reports the page is on the whitelist).

Context (Environment)

Noticed this at least at Firefox 81. Now at Firefox 83.

Logs

With Chameleon enabled and webpage in whitelist, the page doesn't load:

Some cookies are misusing the recommended “SameSite“ attribute 5
[CanvasBlocker] frame script: [2020-10-26 14:46:31.270] Wrong name specified for get Error: 
    exportFunctionWithName moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/extension.js:112
    changeProperty moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/iframeProtection.js:28
    protectFrameProperties moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/iframeProtection.js:66
    protectFrameProperties moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/iframeProtection.js:48
    protect moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/iframeProtection.js:287
    interceptWindow moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/frame.js:174
    <anonymous> moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/frame.js:226
    <anonymous> moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/frame.js:227
logging.js:76:17
[CanvasBlocker] frame script: [2020-10-26 14:46:31.270] Wrong name specified for get Error: 
    exportFunctionWithName moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/extension.js:112
    changeProperty moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/iframeProtection.js:28
    protectFrameProperties moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/iframeProtection.js:84
    protectFrameProperties moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/iframeProtection.js:48
    protect moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/iframeProtection.js:287
    interceptWindow moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/frame.js:174
    <anonymous> moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/frame.js:226
    <anonymous> moz-extension://e49d79d5-23da-43b4-accd-3e3b0be6348c/lib/frame.js:227
logging.js:76:17
Uncaught TypeError: t.supportedLocalesOf is not a function
    r index.js:28
    r index.js:27
    u app~493df0b3.8PWw82BxGE.js:1
    d app~493df0b3.8PWw82BxGE.js:1
    m app~493df0b3.8PWw82BxGE.js:1
    tjUo app~493df0b3.8PWw82BxGE.js:1
    Webpack 4
index.js:28:31
Source map error: Error: Invalid URL: webpack://~external "_"
Resource URL: https://confluence-v1.prod.atl-paas.net/master/app~493df0b3.8PWw82BxGE.js
Source Map URL: app~493df0b3.8PWw82BxGE.js.map
Firefox can’t establish a connection to the server at wss://XXXXX.atlassian.net/subscriptions/subscriptions. client.js:446:22
The connection to wss://XXXXX.atlassian.net/subscriptions/subscriptions was interrupted while the page was loading. client.js:446:22
Firefox can’t establish a connection to the server at wss://XXXXX.atlassian.net/subscriptions/subscriptions. client.js:446:22
The connection to wss://XXXXX.atlassian.net/subscriptions/subscriptions was interrupted while the page was loading. client.js:446:22

With Chameleon disabled, the page loads:

Firefox can’t establish a connection to the server at wss://XXXXX.atlassian.net/subscriptions/subscriptions. client.js:446:22
The connection to wss://XXXXX.atlassian.net/subscriptions/subscriptions was interrupted while the page was loading. client.js:446:22
Firefox can’t establish a connection to the server at wss://XXXXX.atlassian.net/subscriptions/subscriptions. client.js:446:22
The connection to wss://XXXXX.atlassian.net/subscriptions/subscriptions was interrupted while the page was loading. client.js:446:22
Firefox can’t establish a connection to the server at wss://XXXXX.atlassian.net/subscriptions/subscriptions. client.js:446:22
The connection to wss://XXXXX.atlassian.net/subscriptions/subscriptions was interrupted while the page was loading. client.js:446:22
WidthDetector will be deprecated, please use WidthObserver from @atlaskit/width-detector instead. WidthDetector.tsx:59:8
WidthDetector will be deprecated, please use WidthObserver from @atlaskit/width-detector instead. WidthDetector.tsx:59:8
Some cookies are misusing the recommended “SameSite“ attribute 35
XHRGEThttps://XXXXX.atlassian.net/gateway/api/join-site-service/site/0b0f4760-6e7b-4369-8324-3020139e390a/domainRestrictedSignupPromotion
[HTTP/2 409 Conflict 184ms]

WidthDetector will be deprecated, please use WidthObserver from @atlaskit/width-detector instead. WidthDetector.tsx:59:8
XHRPOSThttps://XXXXX.atlassian.net/gateway/api/engage-targeting/api/v2/user/deadbeef-6e7b-4369-8324-deadbeefdead/messages/EXT-167/start
[HTTP/2 409 Conflict 193ms]

Deprecation notice: Accessing Env through metalTypes will soon be deprecated. index.js:5:8
asm.js type error: Disabled by debugger 27.MJGm2nE2nf.js
Content Security Policy: Couldn’t process unknown directive ‘noscript-marker’ 6
Loading failed for the <script> with source “https://connect-cdn.atl-paas.net/all.js”. start:8:1
Loading failed for the <script> with source “https://doc-c-cdn.comalatech.app/dist/3e08cac88a503d22948a5410d6d34bf2-vendor.dll.js”. start:13:1
Loading failed for the <script> with source “https://doc-c-cdn.comalatech.app/dist/a930bf68606d11d5aa7969774f88a926-startup-bundle.js”. start:14:1
Content Security Policy: Couldn’t process unknown directive ‘noscript-marker’ 3
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 3 injected.js:1:5301
Content Security Policy: The page’s settings blocked the loading of a resource at https://connect-cdn.atl-paas.net/all.js (“script-src”). 3
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 3 start:10:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://doc-c-cdn.comalatech.app/dist/3e08cac88a503d22948a5410d6d34bf2-vendor.dll.js (“script-src”). 3
Content Security Policy: The page’s settings blocked the loading of a resource at https://doc-c-cdn.comalatech.app/dist/a930bf68606d11d5aa7969774f88a926-startup-bundle.js (“script-src”). 3
Content Security Policy: The page’s settings blocked the loading of a resource at data: (“media-src”). 3
Content Security Policy: The page’s settings observed the loading of a resource at data: (“default-src”). A CSP report is being sent.
Content Security Policy: Couldn’t process unknown directive ‘noscript-marker’ 3
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 4 utils.js:35:9
Loading failed for the <script> with source “https://connect-cdn.atl-paas.net/all.js”. index.html:6:1
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 3 injected.js:1:5301
Content Security Policy: The page’s settings blocked the loading of a resource at https://connect-cdn.atl-paas.net/all.js (“script-src”). 3
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 3 index.html:10:1
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 3 index.html:16:1
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 3 index.html:23:1
Content Security Policy: The page’s settings blocked the loading of a resource at data: (“media-src”). 3
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 4 utils.js:35:9
XHRPOSThttps://XXXXX.atlassian.net/gateway/api/engage-targeting/api/v2/user/deadbeef-6e7b-4369-8324-deadbeefdead/messages/confluence-onboarding-space-page-v2/start
[HTTP/2 409 Conflict 136ms]

XHRPOSThttps://XXXX.atlassian.net/gateway/api/engage-targeting/api/v2/user/deadbeef-6e7b-4369-8324-deadbeefdead/messages/confluence-onboarding-space-page-v2/start
[HTTP/2 409 Conflict 140ms]

This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. 2020-10-26+Core+v2+Deployment
AJS's create element functionality has been deprecated since 5.9.0.
No alternative will be provided.
Use document.createElement() or jQuery.parseHTML(), or preferably use a templating library. batch.js:112:470
DEPRECATED JS - Dialog has been deprecated since 6.0.6 and will be removed in a future release. Use require('confluence-create-content/space-blueprint')  
 f/<@https://d2oo471t4e338f.cloudfront.net/XXXXX.atlassian.net/wiki/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-1968367188/h/b02826bf95bb751002bcca6ac1cadcc1/_/download/contextbatch/js/_super/batch.js?externals=__local-default__&locale=en-US:376:136 batch.js:129:173
Finished loading Autocomplete base, Macro browser, JIM, Jira chart plugin plugin.js:245:10

[sereneblue]

@maricn What version of Chameleon are you using? There was a similar issue reported recently (v0.21.5) so this should have been fixed in a later update. The whitelist allows spoofing the language which is the cause of the issue. I can update Chameleon to prevent spoofing if the language doesn't change.

[maricn]

I think this happened before v0.21.5, and after that I haven't yet witnessed it (either the update fixed it or my workaround TTL hasn't expired 🤷 )... I'm cool with closing this and reopening if I notice the behavior again.

Thanks for getting back quickly on this one :)

[maricn]

Today I've started experiencing the same behavior. The logs are slightly different though...

Uncaught DOMException: Permission denied to access property "F0f2qj" on cross-origin object Page+Title+Redacted+1:4
    inject Page+Title+Redacted+1:4
    method Page+Title+Redacted+1:284
    v addStyles.js:182
    m addStyles.js:209
    g addStyles.js:278
    h addStyles.js:136
    exports addStyles.js:87
    j7xK bundle.css:16
    Webpack 8

The page is in whitelist, and is still experiencing the issue where it stops loading.

The issue goes away only if I disable the chameleon plugin globally (clicking on the shield from the plugin's menu).

Chameleon Version: 0.21.8.1
Firefox Version: 83.0 (64-bit)

[sereneblue]

@maricn Please let me know if v0.21.9 resolves this issue.

[maricn]

@sereneblue yes, it seems to be working now!