Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5702427. Configure here.
`page.evaluate(message.code)` can throw (runtime errors, navigation
during evaluation, invalid code) but had no try/catch, so sendMessage
was never called and autoconsent never received the evalResp — stalling
the consent-detection flow. Fall back to `result: false` on failure,
matching the defensive `.catch(() => {})` pattern already used by
sendMessage.
Made-with: Cursor
page.exposeFunction propagates bindings to every frame, including
cross-origin iframes. A malicious iframe could call
autoconsentSendMessage({type:'eval', code:'…'}) and page.evaluate
would execute that code in the main frame's context, bypassing the
Same-Origin Policy (same pattern as the DuckDuckGo Android UXSS,
CVSS 8.6).
Generate a per-page random nonce and wrap the binding in the top frame
only (window.self === window.top) so every legitimate message carries
it. Child frames keep the raw CDP binding which lacks the nonce, so
their messages are silently rejected by the handler.
Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Based on duckduckgo/autoconsent#1152 feedback
Note
Medium Risk
Touches in-page
autoconsentmessage/eval plumbing by adding nonce validation and timeouts, which could affect cookie-consent handling across sites if misconfigured. Changes are scoped and covered by new unit tests for throw/hang/iframe cases.Overview
Improves
autoconsentintegration used bygoto’s adblock flow by enabling additional rule modes (enableGeneratedRules,enableHeuristicAction) and hardening the message bridge.evalrequests are now nonce-gated to the top frame (preventing child-frame triggered eval) and time-bounded viap-timeout, returningevalRespwithresult: falseon errors/timeouts instead of hanging. Adds unit tests covering thrown evals, hung evals, and iframe-originated eval rejection.Reviewed by Cursor Bugbot for commit 79e86fa. Bugbot is set up for automated code reviews on this repo. Configure here.