metamask-extension/app/scripts/runLockdown.js

// Freezes all intrinsics
try {
  // eslint-disable-next-line no-undef,import/unambiguous
  lockdown({
    consoleTaming: 'unsafe',
    errorTaming: 'unsafe',
    mathTaming: 'unsafe',
    dateTaming: 'unsafe',
  })
} catch (error) {
  // If the `lockdown` call throws an exception, it interferes with the
  // contentscript injection on some versions of Firefox. The error is
  // caught and logged here so that the contentscript still gets injected.
  // This affects Firefox v56 and Waterfox Classic
  console.error('Lockdown failed:', error)
  if (window.sentry && window.sentry.captureException) {
    window.sentry.captureException(error)
  }
}
Add SES lockdown to extension webapp (#9729) * Freezeglobals: remove Promise freezing, add lockdown * background & UI: temp disable sentry * add loose-envify, dedupe symbol-observable * use loose envify * add symbol-observable patch * run freezeGlobals after sentry init * use require instead of import * add lockdown to contentscript * add error code in message * try increasing node env heap size to 2048 * change back circe CI option * make freezeGlobals an exported function * make freezeGlobals an exported function * use freezeIntrinsics * pass down env to child process * fix unknown module * fix tests * change back to 2048 * fix import error * attempt to fix memory error * fix lint * fix lint * fix mem gain * use lockdown in phishing detect * fix lint * move sentry init into freezeIntrinsics to run lockdown before other imports * lint fix * custom lockdown modules per context * lint fix * fix global test * remove run in child process * remove lavamoat-core, use ses, require lockdown directly * revert childprocess * patch package postinstall * revert back child process * add postinstall to ci * revert node max space size to 1024 * put back loose-envify * Disable sentry to see if e2e tetss pass * use runLockdown, add as script in manifest * remove global and require from runlockdown * add more memory to tests * upgrade resource class for prep-build & prep-build-test * fix lint * lint fix * upgrade remote-redux-devtools * skillfully re-add sentry * lintfix * fix lint * put back beep * remove envify, add loose-envify and patch-package in dev deps * Replace patch with Yarn resolution (#9923) Instead of patching `symbol-observable`, this ensures that all versions of `symbol-observable` are resolved to the given range, even if it contradicts the requested range. Co-authored-by: Mark Stacey <markjstacey@gmail.com> 2020-11-24 04:26:43 +01:00			`// Freezes all intrinsics`
Fix contentscript injection failure on Firefox 56 (#10034) On Firefox 56 and Waterfox Classic, our `runLockdown.js` script throws an error. This is fine on the HTML pages, as the next script tags still get run without issue (though they don't benefit from the SES lockdown sadly). But in the `contentscript`, an exception thrown here appears to halt the execution of subsequent scripts. To prevent the `contentscript` from crashing completely, lockdown errors are now caught and logged. They are also logged to Sentry on the pages where Sentry is setup. 2020-12-10 18:33:04 +01:00			`try {`
			`// eslint-disable-next-line no-undef,import/unambiguous`
			`lockdown({`
			`consoleTaming: 'unsafe',`
			`errorTaming: 'unsafe',`
			`mathTaming: 'unsafe',`
			`dateTaming: 'unsafe',`
			`})`
			`} catch (error) {`
			// If the `lockdown` call throws an exception, it interferes with the
			`// contentscript injection on some versions of Firefox. The error is`
			`// caught and logged here so that the contentscript still gets injected.`
			`// This affects Firefox v56 and Waterfox Classic`
			`console.error('Lockdown failed:', error)`
			`if (window.sentry && window.sentry.captureException) {`
			`window.sentry.captureException(error)`
			`}`
			`}`