Hi i have installed and tested the extension and i have realized that in some websites where i have account with this extension enabled i cant make login always return username or password wrong when i disable the extension i can make login again with the same credentials.

Hi. Thanks for the revelations. 👍️

Is there any chance this add-on will get approved soon?

I uploaded the zip to Mozilla for private use approval and got warnings:

I tried it as a temporary extension, but I didn't see any blocking. But that could be due to uBlock Origin and my hosts file?

Creating this issue to track the progress of publishing the add-on to AMO. The code for that effort lives here: https://github.com/leaky-forms/leak-inspector/tree/development

Gets rid of all CSP warnings from issue #9 by inlining all .html fragments into popup.html, eliminating the dependency on jquery.load() from popup.js, and thus any need for base.js.

Any idea why the setter in the overridden input element value property is commented out here (line 18)?

The result is that if any script tries to set the value of an input field, it'll throw an error: Uncaught TypeError: setting getter-only property "value" (i.e. by not providing a setter, it breaks existing functionality)

I tried simply removing the comment, and it resolved the error and didn't seem to have any ill effect on Leak Inspector. So, curious if there's a reason why it's been commented out.

https://github.com/leaky-forms/leak-inspector/blob/0842396106b692ae48b4997514f32b70ea1aeadd/page_scripts/page_script.js#L9-L20

Seeing an intermittent error:

TypeError: currentTab is undefined

pointing to line 245 in popup.js: https://github.com/leaky-forms/leak-inspector/blob/b0633c03082b90df3deb2326ba8412d32d4f82cb/extension_ui/js/popup.js#L244-L245

Quite sure it was introduced by pull request #12

I suspect it's caused by the fact that this code is now executing sooner because it no longer needs to wait on the two (removed) jquery.load() calls that were dynamically loading html fragments. Therefore sometimes beating the async method that populates currentTab:

https://github.com/leaky-forms/leak-inspector/blob/b0633c03082b90df3deb2326ba8412d32d4f82cb/extension_ui/js/popup.js#L1-L3

I know that uploading the extension to the Chrome Store doesn’t allow that, but publishing an extension to upload yourself will be accepted. I use developer mode all the time and install lots of extensions that are currently not on the Chrome Store.

Fixes issue #15, an intermittent error that occurs when the DOMContentLoaded event handler executes before the currentTab variable is initialized (within an async function).

Does this by attaching or directly calling the event handler (depending on document.readyState) from within the async function, after the variable has been initialized.

The description in the README says attempts to publish to the Chrome Web Store failed suggests that you have a Chrome extension already. It would be great to make that available for manual loading for those of us willing to do so.

Instructions are here https://www.cnet.com/tech/services-and-software/how-to-install-chrome-extensions-manually/

This is a proposed behavior change to only increment the sniff count once, per distinct "sniff-domain/sniffed-field".

The change alters the "inputSniffed" message handler to -update- (rather than -insert-) sniff details, if the domain+fieldName+xpath already exists. Included is a modification to setBadge() to display the sniff count when the badge is yellow (i.e. when there are sniffs, but no leaky requests).

Enhancements to setBadge behavior:

• do not display a count if (at the time the page is loaded) the extension is toggled off
• set the background color: green (no sniffs or leaky requests detected) yellow (sniffs detected, but no leaky requests) red (leaky requests detected)

NOTE: this did require adding a new call to the setBadge() method for "inputSniffed" messages

Hi Team,

I've found that one particular site (for paying medical bills in US) that I use showed leaking plain-text passwords, although the connection of this site to another site (for login purposes) is through https. Also excuse my naivitete, I do not claim to know anything about security, privacy, so might be just fine..

In any case it dispalayed to me Requests exfiltrating personal data extracted from web forms for both email/password, and in Chrome Developer ToolBox - I could see in plaintext my user/password.

My question really is - is there an appropriate way to report these without affecting other users? After all I have to use this service, and not sure how they can be reached to fix it.

(Since I can't use the chrome web store to install the plugin, I've installed it directly from a folder I've "git cloned")

Thank you!

We should have tests covering (at least) the basic functionality such as sniff detection and leaky request blocking. The simplest way could be to use Selenium, similar to Privacy Badger: https://github.com/EFForg/privacybadger/tree/master/tests

Unfortunately Playwright doesn't (yet) support Firefox add-ons: https://github.com/microsoft/playwright/issues/7297