Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exclude javascript snippet from results if required evidence was present #113

Open
justadreamer opened this issue Jul 5, 2024 · 0 comments
Open

exclude javascript snippet from results if required evidence was present #113

justadreamer opened this issue Jul 5, 2024 · 0 comments
Assignees
@justadreamer
Labels
type: feature-request New feature

Comments

@justadreamer
Copy link
Contributor

Motivation

Performance improvement, latency reduction: reduce response payload size, remove redundant client-side javascript execution, omit unnecessary network calls.

Objective

Suppress javascripgethighentropyvalues and similar snippets from output in case relevant evidence is already present.

Background

There are javascript snippet properties s.a. f.e. javascriptgethighenropyvalues that are a fallback and serve a purpose of digging out evidence on the client side that has not been sent in the original request. In the current implementation this property will be returned as part of the results (for the relevant browser profiles) regardless of whether the evidence that it has to dig has already been sent in the request.

In the case of javascripgethighentropyvalues the evidence it would dig out is:

  • sec-ch-ua-platformversion
  • sec-ch-ua-model
  • sec-ch-ua-full-version-list

If this evidence has already been present in the request, javascriptgethighentropyvalues would still be served, execute on the client side and make a redundant request sending this evidence again...

An attempt to implement it has been made as part of this PR: #82 however it is hardcoding both the snippet name and evidence header name to check which is not ideal and not dynamic enough a solution.

Solution outline

  1. The snippets must be amended with a directive-comment that would contain a list of evidence that must have been present to skip this snippet, s.a. f.e. this for javascriptgethighentropyvalues
// 51D skip if: sec-ch-ua-model, sec-ch-ua-platform-version, sec-ch-ua-full-version-list

  1. Whenever this comment is encountered in the beginning of the snippet - the code must parse it and check if the corresponding headers were present in the evidence...

  2. If they were - then suppress the property (remove it from results).

Alternative solution ideas

The check obviously must be implemented after the profile retrieval and maybe iterating, parsing and checking all the JS properties in the profile is going to be a performance drain..

Thus perhaps a trade off solution may be to still serve the snippet in the response, but implement this check on the level of javascript-templates - where a client side javascript would retrieve that directive comment and check if the evidence has been provided. For that the provided evidence must be echoed as part of the response in the javascript-template so it can decide whether to execute this snippet or evidence has already been sent...

The trade off implementation seems to be easier to achieve and safer.
jwrosewell added a commit that referenced this issue Oct 23, 2024
@jwrosewell
FEAT: Addresses #113 where GetHighEntropyValues JavaScript property v…
df64eee 
…alues must not return JavaScript when the required evidence is already present. Needed to improve performance.

Only executed when the JavascriptGetHighEntropyValues property is a required property that can be returned.
The Accept-CH properties in the DataSet are used to identify the headers that are needed for UACH/GHEV functionality. These are parsed during initialisation and stored in the device detection data set.
After evidence based device detection a check is performed to determine if the evidence contains all the UACH/GHEV fields. If it does then the value returned for a subsequent call JavascriptGetHighEntropyValues will be an empty string.
GettingStarted for C has been updated to better show the unpacking of evidence values to form other evidence values such as pseudo headers and UACH headers from base64.
@jwrosewell jwrosewell mentioned this issue Oct 23, 2024
Merged
justadreamer pushed a commit that referenced this issue Oct 24, 2024
@jwrosewell @justadreamer
FEAT: Addresses #113 where GetHighEntropyValues JavaScript property v…
8ae20e7 
…alues must not return JavaScript when the required evidence is already present. Needed to improve performance.

Only executed when the JavascriptGetHighEntropyValues property is a required property that can be returned.
The Accept-CH properties in the DataSet are used to identify the headers that are needed for UACH/GHEV functionality. These are parsed during initialisation and stored in the device detection data set.
After evidence based device detection a check is performed to determine if the evidence contains all the UACH/GHEV fields. If it does then the value returned for a subsequent call JavascriptGetHighEntropyValues will be an empty string.
GettingStarted for C has been updated to better show the unpacking of evidence values to form other evidence values such as pseudo headers and UACH headers from base64.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justadreamer justadreamer

Labels
type: feature-request New feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@justadreamer