Update: Social Fixer 7.321 Resolves Browser Errors!

logo_detailed_1286_thumb_thumbDue to recent Facebook changes, many Google Chrome users were seeing an error when using Social Fixer. This release resolves that problem and includes a couple other tweaks.

Install the 7.321 update by going to SocialFixer.com

Fixes In This Release

  • The “SECURITY_ERR: DOM Exception 18” error that Chrome users were seeing has been resolved. See below for details.
    • Changed an image reference in the code from http to https to avoid security warnings.
      • Fixed the background color when hovering over items in the wrench dropdown menu.</ul>

        About The SECURITY_ERR: DOM Exception 18 Error

      The details about why this error popped up are complex, but I will attempt to explain some of it here for those who are interested, and in an attempt to help other extension authors who are googling this error. As it turns out, other extension developers are having similar problems.

      In an attempt to make extensions more secure, Chrome has adopted the W3C Content Security Policy recommendations. This helps limit what resources can be loaded from remote sites, to avoid XSS and other attacks.

      Chrome is also adding experimental support for sites that define their own security policies by sending a header that tells the browser how it should behave with regards to external resources. This lets a site tell the browser to not load anything from a remote site except for resources on facebook.com or spotilocal.com, for example. If someone were to compromise the security of their site or if your browser had malware installed which tried to load up scripts or ads from another site, the browser would prevent this because the original site explicitly disallowed it. In theory, this increases user security.

      Facebook recently decided to implement their own Content Security Policy, and began sending this header back with their pages:

      X-WebKit-CSP: default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;

      This X-WebKit-CSP header is one that Chrome has added experimental support for, so it reads the rules and enforces them. It won’t let any content be loaded into the page except from the sites listed. Social Fixer connects back to SocialFixer.com to load some resources, such as:

      • Setup Wizard
        • Check for updates
          • Tips of the Day
            • Important Messages
              • Theme list
                • Theme content (in some cases)</ul> So any time Social Fixer tried to connect back to my site to load those things, Chrome would throw up this very cryptic error. Only by inspecting the console could I tell that the root cause was actually a violation of the Content Security Policy. After some confusion and some inspecting, I discovered that Facebook was sending the X-WebKit-CSP header, which was causing the problem. Apparently they only send it if you are using Chrome 21-23, so users of Chrome 24 (beta) aren’t affected!

                Although Chrome correctly supports the Content Security Policy standard, these rules should not apply to Chrome Extensions. So, this behavior is actually a bug in Chrome. Fortunately, a bug report has already been filed and a fix is coming.

                Since I can’t wait for a new release of Chrome, I needed to find a fix. Fortunately, it wasn’t complicated – by moving the cross-domain ajax requests into the background script (a feature of Chrome Extensions) they were no longer executed under the policy of the Page from Facebook. No functionality is lost, though a little bit of complexity is introduced. I had actually moved away from the background page model a while ago because that is the preferred way to create extensions. So this is a bit of a regression, but hopefully I can undo it once Chrome 24 is widely used.

                Whew! So, to summarize:

                • Google Chrome implemented an improved security model
                  • But they kind of messed it up for extensions
                    • Facebook locked down their resource security by adding headers that affect Chrome
                      • Social Fixer’s attempt to connect back to my site caused an error because of Facebook’s new header, and Chrome’s improper handling of it.</ul> This was not an easy nut to crack, and the error has been around a while for some users. It wasn’t until it became widespread that it became a serious problem, and I had to dedicate a number of hours to figuring out the cause and the fix. Luckily, a work-around was possible.

                      I hope that helps you understand what this was all about, and I hope it reassures some people that the error was not due to a problem in Social Fixer, but rather a Chrome problem made visible by a Facebook code change.

                      Matt Kruse, author of Social Fixer