Check if Ubiquity is installed?

0 views
Skip to first unread message

Alphawolf

unread,
May 4, 2009, 4:42:37 PM5/4/09
to ubiquity-firefox
Hey there,

is it possible to check with javascript if Ubiquity is installed in a
user's Firefox? I'd like to display some install instructions to those
only who have it installed already.

Regards,
Oliver

Abimanyu Raja

unread,
May 5, 2009, 6:43:10 AM5/5/09
to ubiquity...@googlegroups.com
Assuming you running from an extension, you should be able to check if
window.gUbiquity is not null. Or are you trying to see Ubiquity is
installed from a webpage?

- Abi

2009/5/5 Alphawolf <webm...@schloebe.de>:

Alphawolf

unread,
May 5, 2009, 5:25:18 PM5/5/09
to ubiquity-firefox
Hey Abi,

I'm trying to see if Ubiquity addon is installed from a webpage. Let's
say, I'm accessing domain.com/ubiquity/ I'd like to output a text
passage that tells about to install a command on that page. But it
should not display that message if Ubiquity is not installed in the
user's Firefox. Or, am I able to access Ubiquity with plain javascript
on a webpage to check for window.gUbiquity?

Regards,
Oliver


On 5 Mai, 12:43, Abimanyu Raja <abimanyur...@gmail.com> wrote:
> Assuming you running from an extension, you should be able to check if
> window.gUbiquity is not null. Or are you trying to see Ubiquity is
> installed from a webpage?
>
> - Abi
>
> 2009/5/5 Alphawolf <webmas...@schloebe.de>:

satyr

unread,
May 5, 2009, 8:21:21 PM5/5/09
to ubiquity...@googlegroups.com
I guess you can abuse the way most Ubiquity skins are wrote.

1. Set up an element with the specific id/class (#ubiquity-preview
.ubiquity-preview-content etc.)
2. Check if its computed-style differs.

This could also detect which skin the user is using.

Blair McBride

unread,
May 8, 2009, 7:05:32 PM5/8/09
to ubiquity...@googlegroups.com
This would be a security bug if it were possible - it should never be
possible for web content to detect which extensions a user is running.

- Blair

esquifit

unread,
May 8, 2009, 7:30:53 PM5/8/09
to ubiquity...@googlegroups.com
There was some talk about this topic some time ago, see the links below.  I don't know how vulnerable Firefox is these days.  The same question arose repeatedly in the context of the Greasemonkey extension.  The GM developers eventually implemented some protection measures that (I think) are now somehow handled by Firefox itself.   Anthony Lieuallen's Karma Blocker extension [1] was also very helpful against this vulnerability.

[1] https://addons.mozilla.org/en-US/firefox/addon/5230

There were essentially two approaches:
1) When a message bar is displayed as a result of a script being installed/discovered, the page can detect the vertical displacement caused by the bar. For example a page could include the <link> tag pointing to some (possible non existent) ubiuity script and check for the vertical shift caused by the Ubiquity bar prompting for installation.
2) Including a extension's chrome:// image resource from the web page. Depending on whether the extension was installed or not, the included image would have length 0 or greater than 0 and would thus affect the width of some other element in the page.  This could be measured by javascript code. I think newer versions of Firefox disallow inclusion of chrome:// images from web content.

Here some interesting links:

Detecting FireFox Extentions ha.ckers.org web application security lab
http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/

Jeremiah Grossman: I know what you've got (Firefox Extensions)
http://jeremiahgrossman.blogspot.com/2006/08/i-know-what-youve-got-firefox.html

Greasemonkey Detect
http://wearehugh.com/public/2006/07/detect-greasemonkey.html

Greasemonkey Detectable? - greasemonkey-users | Grups de Google
http://groups.google.com/group/greasemonkey-users/browse_thread/thread/ac245dd9de7c9258/efb9091ddd9ff2dd?lnk=gst&q=Greasemonkey+Detectable#efb9091ddd9ff2dd

satyr

unread,
May 8, 2009, 7:41:51 PM5/8/09
to ubiquity...@googlegroups.com
data:text/html,<div id="cmd-frame">_

Our skins simply use nsIStyleSheetService, which means they're global
without "@-moz-document" scopes.

I'd fix it along with the fixed height problem.

Blair McBride

unread,
May 8, 2009, 7:46:22 PM5/8/09
to ubiquity...@googlegroups.com
Great info and links - thanks!

I think this is an important topic that needs to be considered when
adding code that somehow touches content-space. Thankfully, there have
been some really smart people looking into this already, so Ubiquity
(and other addons) can learn from previous mistakes and research.

It also shows that while these type of information leaks are getting
fixed on the Firefox platform (eg, chrome:// URLs are no longer
accessable unless whitelisted), its often up to extension authors to do
things sensibly and with forethought.

Whether or not this type of leak can be used malliciously or not is
beside the point - if its not explicitly wanted (and expected) by the
user, then its a security bug that needs fixing.

- Blair




On 8/5/09 4:30 PM, esquifit wrote:
> There was some talk about this topic some time ago, see the links
> below. I don't know how vulnerable Firefox is these days. The same
> question arose repeatedly in the context of the Greasemonkey extension.
> The GM developers eventually implemented some protection measures that
> (I think) are now somehow handled by Firefox itself. Anthony
> Lieuallen's Karma Blocker extension [1] was also very helpful against
> this vulnerability.
>
> [1] https://addons.mozilla.org/en-US/firefox/addon/5230
>
> There were essentially two approaches:
> 1) When a message bar is displayed as a result of a script being
> installed/discovered, the page can detect the vertical displacement
> caused by the bar. For example a page could include the <link> tag
> pointing to some (possible non existent) ubiuity script and check for
> the vertical shift caused by the Ubiquity bar prompting for installation.
> 2) Including a extension's chrome:// image resource from the web page.
> Depending on whether the extension was installed or not, the included
> image would have length 0 or greater than 0 and would thus affect the
> width of some other element in the page. This could be measured by
> javascript code. I think newer versions of Firefox disallow inclusion of
> chrome:// images from web content.
>
> Here some interesting links:
>
> Detecting FireFox Extentions ha.ckers.org <http://ha.ckers.org> web

Blair McBride

unread,
May 8, 2009, 7:47:02 PM5/8/09
to ubiquity...@googlegroups.com
Yep, definitely something that needs fixed. Was that you volunteering to
fix it? ;)

- Blair

Heather

unread,
May 11, 2009, 6:12:27 PM5/11/09
to ubiquity-firefox

Blair McBride

unread,
May 12, 2009, 5:00:49 PM5/12/09
to ubiquity...@googlegroups.com
Alas, doing that would be detectable from the webpage. So from my
perspective, its a no-go.

- Blair
Reply all
Reply to author
Forward
0 new messages