Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code for syncing state with Kagi Privacy Pass extension #12

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Code for syncing state with Kagi Privacy Pass extension #12

wants to merge 1 commit into from

Conversation

fvirdia
Copy link
Collaborator

@fvirdia fvirdia commented Jan 8, 2025

This extension makes the browser send a custom X-Kagi-Authorization header
to kagi.com, to authenticate users even when using incognito mode.
This can enter a "race condition" with the Kagi Privacy Pass extension,
which strips all de-anonymising information sent to kagi.com, such as X-Kagi-Authorization,
whenever "Privacy Pass mode" is in use.

To avoid this race, we let the two extensions communicate, so that this extenesion removes
(respectively, adds) the header when "Privacy Pass mode" is active (respectively, "PP mode"
is inactive or the other extension is not installed/enabled).

We achieve this syncronization with a simple messaging protocol outlined below:

The Privacy Pass extension will send this extension single messages:

  • When being enabled (installed, activated) reports whether "PP mode" is enabled
  • When activating/deactivating "PP mode"
    Due to Chromium extension limitations, it cannot send a message when uninstalled/deactivated.

The main extension (this one) keeps track of whether the "PP mode" is acrive or not by keeping state.
This state is updated by the following actions:

  • When this extension is being enabled (installed, activated), it asks the PP extension for the "PP mode".
  • When it receives a status report from the PP extension, updates its state.

Having both extensions send / request the "PP mode" status allows for the following:

  • When both are installed and active, whenever "PP mode" is toggled, this extension is informed and adjusts
  • Whenever one extension is installed, it attempts to sync with the other on whether "PP mode" is active

There is one limitation, due to the PP extension being unable to signal to this one that it was uninstalled.
This means that in theory, one could have a scenario where first PP mode is enabled, this extension removes
X-Kagi-Authorization, and then the PP extension is uninstalled. In Incognito mode, where the kagi_session
cookie is not sent by the browser, this would cause failed authentication with Kagi.

Possible solutions:

  1. have PP extension open a URL on uninstall, that signals this extension to update the header. This is possible
    but it means adding an extra new tab on uninstall.
  2. Have this extension periodically poll whether the other one was uninstalled. This adds needless communication.
    Polling only when applying the header is not sufficient (as the PP extension could be uninstalled without
    webRequest.onComplete being triggered).

In practice neither of these solutions seems necessary. Instead, we have this extension poll the PP extension every
time it checks whether to apply the header. This means that even in the case where the PP extension is uninstalled while
PP mode was set on, at most one query to kagi.com will fail to authenticate. Such query will then trigger webRequest.onComplete,
which will then find out the PP extension was uninstalled, and hence reinstate X-Kagi-Authorize.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fvirdia