Opened on 11/28/2017 at 10:08:17 AM
Closed on 08/29/2019 at 05:43:18 PM
#6100 closed defect (rejected)
Procedural hiding filter triggers unresponsive page
Reported by: | mapx | Assignee: | |
---|---|---|---|
Priority: | Unknown | Milestone: | |
Module: | Platform | Keywords: | circumvention, closed-in-favor-of-gitlab |
Cc: | kzar, mjethani, hfiguiere, sebastian, Lain_13 | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | no | Confidential: | no |
Tester: | Unknown | Verified working: | no |
Review URL(s): |
Description
Environment
windows 7
chrome 63
ABP 3.0.1.1939
How to reproduce
- disable all the lists in ABP
- add these filters:
postimg.org##.td-ad
postimg.org#?##td-image > iframe
- go to https://postimg.org/image/443rhpfcaj/
Observed behaviour
- page becomes unresponsive, high CPU
Notes
these filters:
postimg.org#?#.td-ad
postimg.org#?##td-image > iframe
or:
postimg.org#?#.td-ad
postimg.org###td-image > iframe
don't trigger the same behaviour but in the ABP panel (devtools) I can see only the first filter:
postimg.org#?#.td-ad
The site is using the tricks reported here: #5302
(piguiqproxy.com/api stuff)
so, could be even fixing #242 it's not enough to fight against similar crap.
(sure, implementing $CSP and managing inline scripts is the right approach..)
Attachments (0)
Change History (13)
comment:1 Changed on 11/28/2017 at 10:11:39 AM by kzar
- Component changed from Unknown to Platform
comment:2 Changed on 11/28/2017 at 12:45:15 PM by Lain_13
comment:3 Changed on 11/28/2017 at 12:46:47 PM by mapx
- Cc Lain_13 added
comment:4 Changed on 11/28/2017 at 01:12:36 PM by Lain_13
Just checked and it looks like that's exactly what happens. The simplest way to fix this would be to move code which changes attribute into async function with setTimeout. Otherwise two observers will never return control to the browser and trigger each other forever. With setTimeout browser will postpone change until it have time to execute it. Usually such undercover fight have relatively low footprint (when console is closed) and usually browser defaults to display none. At least it was like that in my experiments about a year ago.
Another way to solve this is to override some API to prevent site from detecting this change at all and/or prevent their code to change style through setAttribute and modify node.style.display. Once I wrote similar code to hide ads on 4pda.ru.
In RU AdList JS Fixes I have special workaround for this particular ad network which overrides XMLHTTPRequest.prototype.send and ignores calls when it goes to their domain. So, their ads code never runs (except for that "/api" request - it must work).
comment:5 Changed on 12/08/2017 at 12:02:31 PM by kzar
Hubert please could you look into this one as well?
comment:6 Changed on 12/08/2017 at 12:03:06 PM by kzar
- Platform changed from Chrome to Unknown / Cross platform
- Summary changed from procedural hiding filter triggers unresponsive page in chrome to Procedural hiding filter triggers unresponsive page
comment:7 Changed on 12/22/2017 at 08:40:42 AM by mjethani
I looked into this a little bit. It seems like the page detects Adblock Plus and tries to unhide the iframe, which then causes Adblock Plus to hide it again, and this becomes a never-ending loop in which both the page and Adblock Plus try to apply their own styles to the element. It looks like this is by design on Adblock Plus's part.
comment:8 Changed on 01/29/2018 at 03:14:19 PM by kzar
So in the issue description it mentions that implementing $csp would be a suitable approach, we've been working on that in #5241.
Otherwise if the webpage keeps showing the iframe and Adblock Plus keeps hiding it like Manish mentions... I'm not sure what we can do to help which isn't also open to abuse for circumvention. Any suggestions, or shall I close this until we have $csp?
comment:9 Changed on 01/29/2018 at 03:36:13 PM by Lain_13
At least try to make call to setAttribute async, this should allow page to display and significantly reduce CPU load. And may keep IFRAME hidden since in my experiments browser defaults to display:none while observers are fighting each other. Anything is better than hung up page with high CPU load.
comment:10 Changed on 04/17/2018 at 11:51:43 PM by hfiguiere
- Keywords circumvention added
comment:11 Changed on 04/18/2018 at 06:26:29 AM by mjethani
This should no longer be an issue on Firefox since we switched to user style sheets, and it will stop being an issue on a future version of Chrome (probably 68).
It should still be addressed for current versions of Chrome though.
comment:12 Changed on 06/12/2018 at 02:40:09 AM by mjethani
Update: We are still waiting on Chromium to implement tabs.removeCSS.
I don't think it's worth trying to address this without user style sheets.
comment:13 Changed on 08/29/2019 at 05:43:18 PM by sebastian
- Keywords closed-in-favor-of-gitlab added
- Resolution set to rejected
- Status changed from new to closed
Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.
There is a good chance that site attached a MutationObserver to that IFRAME object and restores STYLE property which ABP changes. In the result they are going into a fight since ABP also attaches an observer.