Opened on 11/23/2016 at 11:12:59 AM
Closed on 03/16/2017 at 09:40:02 AM
#4664 closed defect (duplicate)
Brightcove player crashes in Chrome with Adblock plus on jpost.com
Reported by: | strashila | Assignee: | |
---|---|---|---|
Priority: | Unknown | Milestone: | |
Module: | Platform | Keywords: | |
Cc: | kzar, sebastian, mapx | Blocked By: | |
Blocking: | Platform: | Chrome | |
Ready: | no | Confidential: | no |
Tester: | Unknown | Verified working: | no |
Review URL(s): |
Description
Environment
Windows 8.1 and 10, Chrome Version 54.0.2840.99, Adblock plus Version 1.12.4
How to reproduce
- Open Chrome with Adblock plus, go to http://b2.jpost.com/TestEmbed.aspx, see the Brightcove player crash
Observed behaviour
We're having a very specific issue on jpost.com website, where Brightcove player crashes in Chrome with Adblock plus. No matter if the Adblock is enabled or disabled the playback crashes. As I said, this is a very specific problem, which happens on Jpost.com only in Chrome and with Adblock. If you try to watch this page in incognito, everything is working as desired.
example: http://b2.jpost.com/TestEmbed.aspx
Expected behaviour
Brightcove player should not crash, player ads should be displayed if Adblock plus is disabled, and blocked if it's enabled in the browser
I can reproduce. Adblock Plus injects a Content Security Policy adding restrictions due to this filter in EasyList:
That CSP then blocks a blob iframe (or similar) which then results in the player's error message being displayed. (I notice the sound continues to play, perhaps the player could be improved so that when the blob iframe is blocked the error isn't displayed?)
The problem does not happen when that filter is removed. However like you mentioned the problem does occur when the domain is whitelisted. Looking at the code we don't check if the domain is whitelisted before injecting the CSP.
In the codereview for the CSP change we already decided that the combination of sitekey whitelisting with CSP filters is not likely enough to worry about. Perhaps domain whitelisting is important enough to worry about however. What do you think Sebastian?