Opened on 09/16/2018 at 02:48:51 PM
Closed on 11/06/2018 at 10:13:59 AM
#6954 closed defect (invalid)
Domain-based whitelisting does not work for content filtering in subframes
Reported by: | mjethani | Assignee: | |
---|---|---|---|
Priority: | P2 | Milestone: | |
Module: | Platform | Keywords: | |
Cc: | sebastian, kzar | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | no | Confidential: | no |
Tester: | Unknown | Verified working: | no |
Review URL(s): |
Description (last modified by mjethani)
Environment
ABP 3.3.2 on Chrome
How to reproduce
Host the following document on foo.com:
<!-- foo.com/test.html --> <img src="https://imgs.xkcd.com/comics/word_puzzles.png"> <iframe src="http://bar.com/test.html"></iframe>
Host the following document on bar.com:
<!-- bar.com/test.html --> <img src="https://imgs.xkcd.com/comics/word_puzzles.png">
Add the filters ##img and @@$document,domain=bar.com.
Now load foo.com/test.html in the browser.
Observed behaviour
All images are hidden.
Expected behaviour
The image in the subframe bar.com/test.html should be visible because of the second filter.
Additional notes
This code in lib/whitelisting.js:
while (frame) { let parentFrame = frame.parent; let filter = match(page, frame.url, typeMask, extractHostFromFrame(parentFrame, originUrl), getKey(page, frame, originUrl)); ...
It goes straight to the parent frame. This works for blocking filters because we look at the hostname in the initiator property as a fallback (so it only works incidentally and not necessarily because the logic is correct), but we don't do this for content filters.
Attachments (0)
Change History (5)
comment:2 Changed on 09/17/2018 at 02:23:29 PM by sebastian
- Owner set to sebastian
- Priority changed from Unknown to P2
- Ready set
comment:3 Changed on 09/17/2018 at 02:52:00 PM by sebastian
- Owner sebastian deleted
- Ready unset
Wait! I first thought that this might have been a regression of #6543. But it seems the behavior was the same before, and on second thought the behavior seems to be correct. The $domain option refers to the parent document. So @@$document,domain=bar.com means: Whitelist any document (and all of it's sub-resources) that is loaded in a frame on another document with the domain bar.com.
comment:4 Changed on 11/06/2018 at 10:13:41 AM by mjethani
Alright, that makes sense. It's not a bug then.
comment:5 Changed on 11/06/2018 at 10:13:59 AM by mjethani
- Resolution set to invalid
- Status changed from new to closed
Good catch! This is quite bad. I'd still like to have it fixed with 3.4.