Firefox no longer detecting MetaMask as installed

[tayvano]

Description of the Issue

When you attempt to unlock via MetaMask on Firefox, the box stays as "Web3" and it tells you to install MetaMask (even when MetaMask is already installed and unlocked.

May be related to the new CSP policies, especially as it seems like there is another discrepancy in how Firefox handles CSP policies: https://bugzilla.mozilla.org/show_bug.cgi?id=1262842

Steps to Reproduce

• Have MetaMask installed with account there that is unlocked

• Go to https://mycrypto.com/account

• Click on "Web3"

• Click Connect

• Returns error "Web3 not found. Please check that MetaMask is installed"

Description of Your Machine

Mac, Firefox v 61.0.1 (64-bit)

Console Logs / Screenshots

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: !function(){return function t(e,r,n){fun....

Source map error: TypeError: NetworkError when attempting to fetch resource.
Resource URL: moz-extension://9637b80a-2146-7f41-9ec0-cf9673de6f06/contentscript.js
Source Map URL: ../sourcemaps/contentscript.js.map[Learn More] 

[tayvano]

The change was due to feedback from our security audit:

MC-01-002 Web: CSP is Largely Ineffective against XSS (Medium)

It was found that the CSP on MyCrypto.com uses unsafe values for directive script-src, more specifically, unsafe-inline and unsafe-eval. The former allows the execution of unsafe in-page scripts and event handlers, while the latter allows the execution of code injected into DOM APIs such as eval(). As a result, an attacker with the ability to inject JavaScript into the context of the MyCrypto's origin will be not be hindered by the CSP in any notable way.

Current CSP Configuration:

default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; manifest-src 'self'; font-src 'self'; img-src 'self' data: https://shapeshift.io; connect-src *;

The CSP rules in their current stage must be mostly considered useless and they only add weight to the overall footprint tied to every HTTP request. It is recommended to remove the permissions for unsafe-eval and unsafe-inline.

Mozilla CSP bug tracker:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

Examples of FF Extensions trying to fix the issue on their end (could be something we ask MetaMask to change, if we have a solid fix in mind):

• Firefox CSP issue violentmonkey/violentmonkey#173

• PB in Firefox causes CSP violation on sites that disallow script-src = self EFForg/privacybadger#1793

• Site CSP's prevent surrogates from being loaded. google-analytics on Twitter for example gorhill/uBlock#2823

I think the choice we have to make is:

• Update our CSP to something that is still safe AND that still allows this to work in FF (unsure if this combination exists)

• PR something to MetaMask so that it doesn't trigger CSPs (if we can figure out what that PR would be)

[tayvano]

Interim solution: display useful error message if on Firefox and the user selects "Web3"

Something like:

We're sorry. Firefox + MetaMask + our content security policies don't play nicely together. We are working on a solution. In the meantime, please use Google Chrome w/ MetaMask.

(suggestions on copy welcome)

[SharonManrique]

Added to Asana

[MicahZoltu]

As a user, being told to install MetaMask when I already had MetaMask installed and unlocked was a frustrating experience. If I would have been told that Firefox + MetaMask + MyCrypto doesn't work at the moment (perhaps with a link to a GitHub issue for more details) I would have quickly moved on instead of spending a bunch of time troubleshooting and eventually writing in to your support.

[tayvano]

Fuck. Thanks for reminding me, Micah.

[tzanko-matev]

Hi, are there any updates on this problem? I'm running Firefox 69.0.1 and MetaMask is not detected.

[wtzb]

@tzanko-matev unfortunately, this issue is currently still present. In the meantime, please use Chrome to access Metamask with MyCrypto.

This issue has been moved to our internal project management system, so closing this.

[primski]

THIS HAPPENED AGAIN

[primski]

COULDN?T HAVE BEEN FIXED

[primski]

FUCK METAMASK WHY IS EVERBODY USING THIS UNUSABLE PIECE OF SHIT

WTF IS THIS

[tayvano]

Hiya angry person on the internet!

I just took a look and it appears that MetaMask is still working in Firefox with app.mycrypto.com. If you elaborate on the issue you are experiencing, we may be able to help. Otherwise, wishing you the best of luck.

Thanks!

Tay