Opened on 03/03/2017 at 05:39:31 PM
Closed on 03/22/2017 at 06:51:50 AM
Last modified on 04/18/2019 at 08:36:20 AM
#4953 closed defect (fixed)
CSP injected for whitelisted websites
| Reported by: | mapx | Assignee: | kzar |
|---|---|---|---|
| Priority: | P2 | Milestone: | Adblock-Plus-1.13.3-for-Chrome-Opera |
| Module: | Platform | Keywords: | |
| Cc: | kzar, sebastian, trev | Blocked By: | |
| Blocking: | Platform: | Chrome | |
| Ready: | yes | Confidential: | no |
| Tester: | Ross | Verified working: | yes |
| Review URL(s): | |||
Description (last modified by kzar)
Environment
w10, 1.12.4.1739, chrome Version 57.0.2987.88 beta (64-bit)
How to reproduce
- Whitelist the domain openload.io
- Browse to http://openload.io/f/fBC9VSLbmWU
Observed behaviour
An error occurs: "Embed blocked! This error was triggered from Openload's anti abuse mechanism"
Expected behaviour
The error does not occur.
Notes
This happens since we've injected a CSP for the page, which prevents Object elements having a non HTTP/S URL. See Issue 4643 - Prevent WebSocket circumvention via object elements.
To avoid this we need to ensure the page isn't whitelisted before injecting our CSP.
Hints for testers
- Test a filter which injects a CSP still works and blocks WebSocket connections. Ideally on a real website but if not there's a test page http://csp.kzar.co.uk you can use.
- Then whitelist the domain, refresh the page and ensure that the CSP is no longer injected and WebSocket connections are no longer blocked.
- Then un-whitelist the domain, refresh again and ensure they are blocked again.
Attachments (0)
Change History (6)
comment:1 Changed on 03/08/2017 at 01:40:07 PM by kzar
- Cc trev added
- Description modified (diff)
- Owner set to kzar
- Priority changed from Unknown to P2
- Ready set
- Summary changed from ABP 1.12.4.1739 breaks video site to CSP injected for whitelisted websites
comment:2 Changed on 03/08/2017 at 01:42:42 PM by kzar
- Review URL(s) modified (diff)
- Status changed from new to reviewing
comment:3 Changed on 03/08/2017 at 03:14:31 PM by mapx
the whitelisting issue is secondary.
The main issue is that error you get in the dev build but not in the stable build.
Embed blocked! This error was triggered from Openload's anti abuse mechanism
tested also in uBo ==> no such error (even disabling their special filters from ublock filters or disabling uBo extra)
comment:4 Changed on 03/22/2017 at 06:48:04 AM by abpbot
A commit referencing this issue has landed:
Issue 4953 - Ensure website isn't whitelisted before injecting CSP
comment:5 Changed on 03/22/2017 at 06:51:50 AM by kzar
- Description modified (diff)
- Milestone set to Adblock-Plus-for-Chrome-Opera-next
- Resolution set to fixed
- Status changed from reviewing to closed
comment:6 Changed on 07/06/2017 at 12:11:28 PM by Ross
- Tester changed from Unknown to Ross
- Verified working set
Done. Possible to whitelist/unwhitelist filters that inject a CSP.
ABP 1.13.2.1785
Chrome 49 / 59 / Windows 7
Opera 36 / 45 / Windows 7
This is not a regression since the last release IMO, we already were injecting a CSP in this situation it's just that it didn't happen to trigger openload.io's (current) detection logic.
IIRC Sebastian and I decided this situation didn't matter too much, but perhaps it does. I've opened a review, but even if it gets pushed it will be after the release.