Brightcove player crashes in Chrome with Adblock plus on jpost.com

[strashila]

Environment

Windows 8.1 and 10, Chrome Version 54.0.2840.99, Adblock plus Version 1.12.4

How to reproduce

1. Open Chrome with Adblock plus, go to ​http://b2.jpost.com/TestEmbed.aspx, see the Brightcove player crash

Observed behaviour

We're having a very specific issue on jpost.com website, where Brightcove player crashes in Chrome with Adblock plus. No matter if the Adblock is enabled or disabled the playback crashes. As I said, this is a very specific problem, which happens on Jpost.com only in Chrome and with Adblock. If you try to watch this page in incognito, everything is working as desired.

example: ​http://b2.jpost.com/TestEmbed.aspx

Expected behaviour

Brightcove player should not crash, player ads should be displayed if Adblock plus is disabled, and blocked if it's enabled in the browser

[kzar]

I can reproduce. Adblock Plus injects a Content Security Policy adding restrictions due to this filter in EasyList:

$websocket,domain=anime-joy.tv|boards2go.com|celebdirtylaundry.com|celebritymozo.com|collectivelyconscious.net|dailycaller.com|destructoid.com|dumpaday.com|extratorrent.cc|firstrowau.eu|firstrowus1.eu|flash-x.tv|flashsx.tv|flashx.me|flashx.run|flashx.tv|flashx1.tv|flashxx.tv|fmovies.to|free-torrent.org|free-torrent.pw|free-torrents.org|free-torrents.pw|gamenguide.com|gofirstrow.eu|gorillavid.in|gsmarena.com|health-weekly.net|i4u.com|ifirstrow.eu|ifirstrowit.eu|instanonymous.com|itechpost.com|izismile.com|jpost.com|lifehacklane.com|livescience.com|mobilenapps.com|mobipicker.com|natureworldnews.com|navbug.com|ncscooper.com|newsarama.com|nowfeed2all.eu|nowvideo.sx|okceleb.com|omgwhut.com|openload.co|opensubtitles.org|parentherald.com|pornhub.com|postimg.org|putlocker9.com|pwinsider.com|qaafa.com|shorte.st|snoopfeed.com|sportsmole.co.uk|stream-tv-series.net|stream-tv2.to|stream2watch.cc|streamgaroo.com|technobuffalo.com|the-watch-series.to|thevideo.me|thinkinghumanity.com|todayshealth.buzz|tomsguide.com|tomshardware.co.uk|tomshardware.com|tomsitpro.com|toptenz.net|tribune.com.pk|tune.pk|uberhavoc.com|universityherald.com|vidmax.com|vidzi.tv|viewmixed.com|viralands.com|wccftech.com|webfirstrow.eu|whydontyoutrythis.com|wrestlinginc.com|wrestlingnews.co|xilfy.com|yourtango.com

That CSP then blocks a blob iframe (or similar) which then results in the player's error message being displayed. (I notice the sound continues to play, perhaps the player could be improved so that when the blob iframe is blocked the error isn't displayed?)

The problem does not happen when that filter is removed. However like you mentioned the problem does occur when the domain is whitelisted. Looking at the code we don't check if the domain is whitelisted before injecting the CSP.

In the codereview for the CSP change we already decided that the combination of sitekey whitelisting with CSP filters is not likely enough to worry about. Perhaps domain whitelisting is important enough to worry about however. What do you think Sebastian?

[kzar]

Since the main issue for us to address here seems to be that we don't check if the website is whitelisted before injecting the CSP I'm marking this a duplicate of #4953.