Adding u2f to js.identifier.blacklist

85 views
Skip to first unread message

Axel

unread,
Nov 29, 2019, 7:34:19 PM11/29/19
to GWT Users
The obfuscator does not have "u2f" as a blacklisted identifier. In conjunction with a Firefox that now (>=67) has U2F enabled by default (see about:config, security.webauth.u2f) the identifier "window.u2f" is made available. When the obfuscator uses u2f as an output symbol, weird things can happen, such as properties that are expected to be found on the object bound to the obfuscated "u2f" identifier not being found because u2f points to the U2F object and not the application object.

In our project we work around this by adding

   <extend-configuration-property name="js.identifier.blacklist" value="u2f"/>

to a base module that all our modules inherit. I think this should become part of the standard as it is error prone and incredibly time-consuming to figure out the root cause of the errors that can result.

Thomas Broyer

unread,
Nov 30, 2019, 10:40:49 AM11/30/19
to GWT Users
It is. It just hasn't been released yet: https://github.com/gwtproject/gwt/issues/9619 

Lothar Kimmeringer

unread,
Dec 2, 2019, 6:42:45 AM12/2/19
to google-we...@googlegroups.com


Am 30.11.2019 um 01:34 schrieb 'Axel' via GWT Users:
> The obfuscator does not have "u2f" as a blacklisted identifier.
> In conjunction with a Firefox that now (>=67) has U2F enabled by default
> (see about:config, security.webauth.u2f) the identifier "window.u2f" is
> made available. When the obfuscator uses u2f as an output symbol, weird
> things can happen, such as properties that are expected to be found on
> the object bound to the obfuscated "u2f" identifier not being found
> because u2f points to the U2F object and not the application object.

If not happened already, "webauthn" should be blacklisted as well. But
I'm not sure how likely it is that this text will ever be the result
of an obfuscation ;-)


Cheers, Lothar

Alicia Jones

unread,
Dec 2, 2019, 8:11:20 PM12/2/19
to google-we...@googlegroups.com
Thanks, we'll add that to our blacklist. Do we also need to define the blacklist with, e.g., 
<define-configuration-property name="js.identifier.blacklist" is-multi-valued="true" /> 
or is it already defined elsewhere by GWT?

Thanks,
Dan

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/470b1dd1-4133-464c-b523-7feab71f87ba%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages