Brave blocks extensions when verifying wallet

[Valinwolf]

Description

Extensions are blocked, regardless of user consent, on Uphold when trying to verify your Brave Wallet. This has a negative impact for people using extension-based password managers like Bitwarden or Lastpass because that means they have to log into uphold before you can verify your wallet.

Steps to Reproduce

1. Log out of uphold if you are already logged in
2. Go to reward settings and click verify wallet
3. Notice all extensions with website access are disabled and cannot be re-enabled

Actual result:

Users cannot override the disabling of extensions

Expected result:

Users can accept a disclaimer to allow an extension to run.

Reproduces how often:

Every time without falter

Brave version (brave://version info)

Brave | 0.72.56 Chromium: 77.0.3865.90 (Official Build) unknown (64-bit)
-- | --
Revision | 58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS | Linux
JavaScript | V8 7.7.299.11
Flash | (Disabled)
User Agent | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Command Line | /usr/lib/brave-nightly-bin/brave --disable-chrome-google-url-tracking-client --disable-domain-reliability --disable-features=AudioServiceOutOfProcess,AutofillServerCommunication,LookalikeUrlNavigationSuggestionsUI,UnifiedConsent --enable-dom-distiller --enable-features=NewExtensionUpdaterService,WebUIDarkMode,SimplifyHttpsIndicator --extensions-install-verification=enforce --no-pings --extension-content-verification=enforce_strict --enable-features=SimplifyHttpsIndicator,WebUIDarkMode,NewExtensionUpdaterService --disable-features=UnifiedConsent,LookalikeUrlNavigationSuggestionsUI,AutofillServerCommunication,AudioServiceOutOfProcess --flag-switches-begin --allow-insecure-localhost --extension-content-verification=enforce --load-media-router-component-extension=1 --pull-to-refresh=2 --enable-features=SimplifyHttpsIndicator,WebUIDarkMode,NewExtensionUpdaterService,CloudPrinterHandler,HistoryManipulationIntervention,IntentPicker,LazyFrameLoading,LazyImageLoading,MarkHttpAs,NativeNotifications,OmniboxMaterialDesignWeatherIcons,OmniboxRichEntitySuggestions,OmniboxSpeculativeServiceWorkerStartOnQueryInput,OmniboxSuggestionTransparencyOptions,OmniboxUIExperimentHideSteadyStateUrlPathQueryAndRef,OmniboxUIExperimentShowSuggestionFavicons,ParallelDownloading,SaveEditedPDFForm,ScrollableTabStrip,WebRtcHideLocalIpsWithMdns --disable-features=UnifiedConsent,LookalikeUrlNavigationSuggestionsUI,AutofillServerCommunication,AudioServiceOutOfProcess,AutomaticPasswordGeneration,HappinessTrackingSurveysForDesktop,TabGroups,WebRtcRemoteEventLog --flag-switches-end
Executable Path | /usr/lib/brave-nightly-bin/brave
Profile Path | /home/wolf/.config/BraveSoftware/Brave-Browser/Default
Variations | aacdc39d-70ea8f252729b628-70ea8f25

Version/Channel Information:

• Can you reproduce this issue with the current release? Unknown
• Can you reproduce this issue with the beta channel? Unknown
• Can you reproduce this issue with the dev channel? Unknown
• Can you reproduce this issue with the nightly channel? Yes

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? No
• Does the issue resolve itself when disabling Brave Rewards? Uh... Not applicable?
• Is the issue reproducible on the latest version of Chrome? Not applicable

Miscellaneous Information:

[fmarier]

This was done in #4928 to prevent any malicious extensions from hijacking user wallets.

To re-enable individual extensions on the protected Uphold pages:

1. Right-click on the password manager icon.
2. Select "This can read and write site data".
3. Select "On uphold.com".

This should unblock the icon and make it clickable. One can then repeat steps 1 and 2 and then move it back to "On all sites".

[fmarier]

Some ideas of follow-ups:

• document how to re-enable extensions on https://support.brave.com
• whitelist the most popular password manager extensions

[Valinwolf]

@fmarier I tried that, but it does not work.

[szaimen]

@fmarier I don't know, if it is an upstream issue or a password-manager-extension-issue but for me it worked, after I followed these steps:

1. Right-click on the password manager icon.
2. Select "This can read and write site data"
3. Select "When you click on the extension" or "On uphold.com".
4. Right-click on the password manager icon again.
5. Select "This can read and write site data" again.
6. Select "On all sites"

afterwards it worked on uphold.com but only until I reload the website. If I reload the website, I then have to do these steps again to use the password-manager-extension on uphold.com.

BTW: this issue is also happening on other websites and for e.g. the pocket extension: when I choose one of the following options for this extension: "When you click on the extension" or "On just one specific website", the extension doesn't work. For me only the option "On all sites" works reliably. So it seems like an upstream issue...

[szaimen]

@fmarier I would like to see Enpass and SafeInCloud beeing included here. (These are good password managers that aren't based on subscriptions)
Thank you for your work!
Please pink me if you need links to their websites or chrome webstore extensions.

[rebron]

cc: @mandar-brave

[kjozwiak]

@fmarier @rebron should this be closed as brave/brave-core#3685 landed into 0.73.x which exempts password managers but still blocks other extensions? Is there any other work that needs to land before closing this issue?

[fmarier]

My PR is only a temporary work-around until we decide how to deal properly with this issue. We don't want to be stuck whitelisting password managers forever.

[Valinwolf]

@fmarier that is a fair point, but how can it be accurately determined whether it's a password manager without vetting? Perhaps if the APIs were changed to make it integrated into the browser's password manager so it just takes the place but that would be in Google's Department. Though that would be really nice, because it would make a more unified interface regardless of what password manager you choose to be your storage system. Maybe I'll open an issue for this on Chromium...

[fmarier]

During today's bug triage, we decided to relax the extension restrictions:

1. keep the restrictions on the webRequest API
2. remove restrictions on content script injections (hence remove the temporary whitelist that was added in Exempt password managers from the Uphold content script restrictions brave-core#3685)

[evq]

@fmarier has informed me that there have been recent changes for the worse in the upstream chromium UI that we were using to implement the user override. :( Keeping this in mind and given that we're keeping the webrequest protection in place, removing the content script restrictions seems like a reasonable compromise.

[GeetaSarvadnya]

Verification passed on

Brave	1.4.89 Chromium: 80.0.3987.106 (Official Build) beta (64-bit)
Revision	f68069574609230cf9b635cd784cfb1bf81bb53a-refs/branch-heads/3987@{#882}
OS	Windows 10 OS Version 1803 (Build 17134.1006)

• Verified the test plan from Remove content script restrictions on Uphold brave-core#4057
• Tested using https://github.com/fmarier/webrequest-demo:

https://sandbox.uphold.com/something redirects to fmarier.org

https://fmarier.org/?orig=https://sandbox.uphold.com/404 redirects to https://sandbox.uphold.com/authorize/404

https://api.uphold.com/oauth2/token redirects to Wayback machine check

• Tested using https://github.com/fmarier/contentscript-demo:

https://sandbox.uphold.com/something redirects to uphold popup

https://sandbox.uphold.com/authorize/blah redirects to screens below

https://api.uphold.com/oauth2/token redirects to screen below

• Tested using uphold.com

https://uphold.com/something redirects to screen below

https://uphold.com/authorize/blah redirects to screens below

Verification passed on

Brave	1.4.93 Chromium: 80.0.3987.116 (Official Build) (64-bit)
Revision	dc00a510e4c2ae25c4d084cc3d946fc782249224-refs/branch-heads/3987@{#917}
OS	Linux

• Verified the test plan from Remove content script restrictions on Uphold brave-core#4057
• Tested using https://github.com/fmarier/webrequest-demo:

https://sandbox.uphold.com/something redirects to fmarier.org

https://fmarier.org/?orig=https://sandbox.uphold.com/404 redirects to https://sandbox.uphold.com/authorize/404

https://api.uphold.com/oauth2/token redirects to Wayback machine check

• Tested using https://github.com/fmarier/contentscript-demo:
  https://sandbox.uphold.com/something redirects to uphold popup
  

https://sandbox.uphold.com/authorize/blah redirects to screens below

https://api.uphold.com/oauth2/token redirects to screen below

• Tested using uphold.com
  https://uphold.com/something redirects to screen below
  

https://uphold.com/authorize/blah redirects to screens below

Verification PASSED on macOS 10.15.3 x64 using the following build:

Brave	1.4.93 Chromium: 80.0.3987.116 (Official Build) (64-bit)
Revision	dc00a510e4c2ae25c4d084cc3d946fc782249224-refs/branch-heads/3987@{#917}
OS	macOS Version 10.15.3 (Build 19D76)

webrequest cases:

• ensured that visiting https://sandbox.uphold.com/something --> https://fmarier.org/?orig=https://sandbox.uphold.com/something
• ensured that visiting https://sandbox.uphold.com/authorize/blah --> https://fmarier.org/?orig=https://sandbox.uphold.com/404
• ensured that visiting https://api.uphold.com/oauth2/token doesn't redirect to https://fmarier.org

contentScript cases:

Using Uphold staging:

Using Uphold production: