YSK - bypass paywall clean browser extension allows reading paywalled websites. works in android firefox too.

  • rudyharrelson@lemmy.radio
    link
    fedilink
    English
    arrow-up
    13
    ·
    3 months ago

    I took a cursory glance through the source code (for the Firefox version, at least), and I’m not seeing any calls to the gitflic.ru URL outside of the update functions (there appear to be two different places where these might be triggered) and one function for importing custom sites:

    // Import custom sites from local/online
    function import_url_options(e, online) {
      let url = '/custom/sites_custom.json';
      if (online)
        url = 'https://gitflic.ru/project/magnolia1234/bpc_updates/blob/raw?file=sites_custom.json'  + '&rel=' + randomInt(100000);
      try {
        fetch(url)
        .then(response => {
          if (response.ok) {
            response.text().then(result => {
              import_json(result);
            })
          }
        });
      } catch (err) {
        console.log(err);
      }
    }
    

    I noticed in the manifest.json, there is the optional permissions array:

    "optional_permissions": [ "*://*/*" ],

    Which seems to grant the extension access to all URLs, so maybe that’s why the HTTP request is able to fire on any given website rather than just the ones explicitly defined in the regular permissions array. Though this is speculation on my part; I’ve only ever written one or two complex Firefox extensions. I’m not sure if the “optional permissions” array can be declined upon installation (or configured in the extension settings after installation); perhaps access to the wildcard URL can be revoked so that this update call isn’t occurring constantly.

    All looks okay to me, but this was a very quick audit.