[Ext] Opera Wand for Firefox - SecureLogin

[efox99]

Here is the modified version of Secure Login.

It is version 0.9.9 with the modified code to handle Gmail (and I believe Amazon). I relabeled it 1.0.2pre so that users won't be prompted to update until a newer version is released by Abine.

Thanks for doing this but it's not allowing to log in with mouse click/or using the setting "Activate Javascript Protection on login".

[WildcatRay]

Sorry, but I am not a coder. I merely edited the file that needed to be updated because of Google changing Gmail login and then posted it for you and others.

[efox99]

I understand Ray and I want to thank you again. I disabled javascript protection on login in the meantime.

[SantaFe]

Hmmm... just got Firefox 17: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Firefox/17.0 - Build ID: 20121120170634

Now for some reason Secure Login will not log me in when I click on the gold key anymore. It does in Firefox 16.0.2, but not in 17. Durned updates.

[WildcatRay]

Works fine for me on 17 as well as Nightly (20.0a1), but I do not use "Activate Javascript protection on login" either.

[efox99]

Meanwhile, Abine, Inc. "The online privacy company" only seem to be interested in advertising their other products having failed to even address the gmail problem.

Their mission was to take over the secure login addon, then spam the hell out of it's users with the advertising page. That was their only objective.

[LoudNoise]

As far as I can tell they only take you the page when you upgrade. This is hardly a sin.

[mantra]

with firefox 17 ,secure login java protection stopped to work

[Benjamin Markson]

Having debugged secureLogin v1.0.1 the new failure is occurring in secureLogin.js here:

Code: Select all

1604: this.urlSecurityCheck(url, doc.location.href);

This line is throwing the exception: "Loading of [the url of the login page] denied."

Note: this check only occurs if the 'Activate Javascript protection at login' option is enabled.

I'm not clear what the function urlSecurityCheck() is designed to achieve - I can't find any documentation for this function - however, if we comment out this line of code everything works again.

I don't know if secureLogion poorly implements urlSecurityCheck(), or whether FF17 has broken something more fundamental. urlSecurityCheck() certainly doesn't seem to do anything important to the actual login process, it's simply running some kind of check, possibly checking that the page's form url matches the page's own url, maybe some kind of phishing protection, maybe something more clever. I have no idea.

Ben.

[leepa]

I have found the urlSecurityCheck function in omni.ja -> chrome\toolkit\content\global\contentAreaUtils.js (starts in line 20)

The only difference between version Firefox version 16 and higher (actually checked on 19a1) is in defining (and referencing) secMan object(?):
16.0.2

Code: Select all

  var secMan = Services.scriptSecurityManager;
  if (aFlags === undefined) {
    aFlags = secMan.STANDARD;
  }

19a1

Code: Select all

  const nsIScriptSecurityManager =
    Components.interfaces.nsIScriptSecurityManager;
  var secMan = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
                         .getService(nsIScriptSecurityManager);
  if (aFlags === undefined)
    aFlags = nsIScriptSecurityManager.STANDARD;

Obviously there is a change in getting to the scriptSecurityManager service but I have absolutely no idea why this impacted the secureLogin functionality (nor what it means)...

[SantaFe]

Works fine for me on 17 as well as Nightly (20.0a1), but I do not use "Activate Javascript protection on login" either.

Thanks, that worked un checking Activate Javascript protection on login. Weird though it worked when checked in 16.0.2 [Edit: always wait to reply after reading entire post. ]. Oh well.

[Milayne]

leepa, I think you mixed something up.

16.0.2 (previous "mozilla-release") and 17.0 (current "mozilla-release") and 18.0 ("mozilla-beta"):

Code: Select all

  const nsIScriptSecurityManager = Components.interfaces.nsIScriptSecurityManager;
  var secMan = Components.classes["@mozilla.org/scriptsecuritymanager;1"].getService(nsIScriptSecurityManager);
  if (aFlags === undefined)
    aFlags = nsIScriptSecurityManager.STANDARD; 

(no parentheses around the statement )

19.0 ("mozilla-aurora") and 20.0 ("mozilla-central"):

Code: Select all

  var secMan = Services.scriptSecurityManager;
  if (aFlags === undefined) {
    aFlags = secMan.STANDARD;
  } 

So there is actually no change between 16.0.2 and 17.0 - in fact the whole "contentAreaUtils.js" is the same. (Unless I mixed things up. )

[efox99]

As far as I can tell they only take you the page when you upgrade. This is hardly a sin.

Yeah I agree. Was upset when I wrote that.

Such a cool addon such a shame it's abandoned.

[Milayne]

TL;DR: Download my patched "Secure Login 1.0.1" and you're good to go.

After some hours I've got/found a fix. I was digging around in the source, "diff"ing the changes Abine made and trying to understand javascript again, when I suddenly stumpled upon something. Some Japanese-guy fixed the issue already on September 8th.
So download Secure Login 1.0.1 and apply the following changes to "secureLogin.js" inside "/chrome/content". (The line numbers may be off by -3/+3.)

1. First the fix for the issue with the "Activate Javascript Protection on login"-setting. [The "checkLoadURIStr()" method has been removed with Firefox 17.]
   
   
   • On line 1603 replace

     Code: Select all

     this.urlSecurityCheck(url, doc.location.href);

     with

     Code: Select all

     this.urlSecurityCheck(url, doc.nodePrincipal);

     
     
   • On line 2039 replace

     Code: Select all

     urlSecurityCheck: function(url, sourceURL) {

     with

     Code: Select all

     urlSecurityCheck: function(url, principal) {

     
     
   • On line 2041 replace

     Code: Select all

     this.getSecManager().checkLoadURIStr(sourceURL, url, Components.interfaces.nsIScriptSecurityManager.STANDARD);

     with

     Code: Select all

     this.getSecManager().checkLoadURIStrWithPrincipal(principal, url, Components.interfaces.nsIScriptSecurityManager.STANDARD);

   
   
2. Now the fix for the Google login-issue.
   
   
   • On line 839 replace

     Code: Select all

     if(elements[i].type == 'text') {

     with

     Code: Select all

     if(elements[i].type == 'text' || elements[i].type == 'email') {

     
     
   • After line 1542

     Code: Select all

     case 'text':

     add

     Code: Select all

     case 'email':

     so it looks like

     Code: Select all

     case 'text':
     case 'email':

   
   
3. Aaaand a fix for another bug our sweet Japanese-guy found. [Removes many errors from the error console since the second parameter of "addProgressListener()" is not in use since Firefox 4.]
   
   
   • Replace lines 303-306

     Code: Select all

     this.getBrowser().addProgressListener(
        this.progressListener,
        Components.interfaces.nsIWebProgress.NOTIFY_LOCATION | Components.interfaces.nsIWebProgress.NOTIFY_STATE_DOCUMENT
     );

     with

     Code: Select all

     this.getBrowser().addProgressListener(this.progressListener);

That's it. All applaud the Japanese.
He actually also removed all the changes from Abine (0.9.9 --> 1.0.1) but since those are only about the post-install message (which should only appear once every update) I left them. If you still want to remove them, check this out.

So I changed the version to "1.0.2", packaged it back to ".xpi" and done. Download nao! (Yes Abine, you too. Review it and release it on "addons.mozilla.org".)

(Source)

[LoudNoise]

Preceded with care folks. At the first suggestion that this causes any trouble both the link and Milayne will be nuked.