Opened 5 months ago

Closed 2 months ago

Last modified 3 days ago

#4368 closed defect (fixed)

ABP doesn't catch popups redirecting with a base64 encoded URL

Reported by: arthur Assignee: trev
Priority: P1 Milestone: Adblock-Plus-2.8.2-for-Firefox
Module: Adblock-Plus-for-Firefox Keywords:
Cc: trev, mapx, fanboy Blocked By:
Blocking: Platform: Firefox
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

https://codereview.adblockplus.org/29362515/

Description (last modified by trev)

Environment

Windows 10 Pro
Firefox 48.0.2
ABP 2.7.3.4197

How to reproduce

  1. Go to https://eztv.ag/
  2. Open the list of blockable items
  3. Click anywhere

Observed behaviour

The (blocked) popup isn't listed in the blockable items.

Expected behaviour

It should appear in the blockable items. Popup blocking itself seems to work though.

What to change

Make sure that whitelisted schemes don't affect pop-up blocking, so that a pop-up can be blocked regardless of the scheme used.

Change History (16)

comment:1 Changed 5 months ago by arthur

  • Cc trev added

comment:2 Changed 5 months ago by mapx

  • Cc mapx added

comment:3 Changed 4 months ago by mapx

  • Cc fanboy added

comment:4 Changed 4 months ago by mapx

a lot of big players are using this method now to push on there popups

Last edited 4 months ago by mapx (previous) (diff)

comment:5 Changed 3 months ago by fanboy

Regression range:

Adblock Plus 2.7.3.4196-beta   2016-07-19 19:20 UTC 	GOOD
Adblock Plus 2.7.3.4197-beta   2016-08-16 13:50 UTC 	BAD

Possibly caused by: https://hg.adblockplus.org/adblockplus/rev/368c64d2955a

comment:6 Changed 3 months ago by trev

Yes, we fixed a bug in #4335 which created the current behavior - but what we have now is correct. Pop-up blocking was never supposed to block redirects, this is #2095. If anything, we might want to ignore extensions.adblockplus.whitelistschemes setting for pop-up blocking so that data: pop-ups can be blocked as well.

comment:7 Changed 3 months ago by fanboy

As witness to it, the data: popups are being used heavily on many porn/filesharing and torrent websites. If we can, just do something to stop the data: popups it was certainly noticeable things wern't being blocked anymore. I haven't seen any legit data: popups yet.

Pity #2095 is 20 months old with no action or a patch :/

comment:8 Changed 2 months ago by trev

  • Description modified (diff)
  • Owner set to trev
  • Priority changed from Unknown to P1
  • Ready set

comment:9 Changed 2 months ago by trev

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:10 Changed 2 months ago by abpbot

A commit referencing this issue has landed:
Issue 4368 - Ignore whitelisted schemes for pop-ups

comment:11 Changed 2 months ago by trev

  • Milestone set to Adblock-Plus-for-Firefox-next
  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:12 Changed 2 months ago by Ross

How should this appear in the blockable items list if working correctly? Is it that the filter ##a[href][target="_blank"] was not appearing in the list?

comment:13 Changed 2 months ago by mapx

if you test eztv, you'll get

|data:$popup,domain=eztv.ag

item address:
data:text/html;base64,PGh0bWw+PGJvZHk+PHNjcmlwdD52YXIgZT0obmV3IERhdGUpLmdldFRpbWUoKTt2YXIgZWZ3PXdpbmRvdy5uYW1lLnNwbGl0KCdfJylbM107aWYoZS1lZnc8MjUwKXt3aW5kb3cubG9jYXRpb249Jyc7fTwvc2NyaXB0PjwvYm9keT48L2h0bWw+

comment:14 Changed 2 months ago by Ross

  • Tester changed from Unknown to Ross
  • Verified working set

Thank you, I realised I was also using the wrong ABP version to test with.

This is fixed. Tested on eztv and several other torrent/porn sites. Popups are blocked and appear in the blockable items list.

Firefox 38 / 49 / Windows 7
Firefox Nightly 53.0a1 (2016-11-17) / Windows 7

comment:15 Changed 3 days ago by fanboy

This bug has reared its head again. 2.7.3.4196-beta can shut down these popups, current -dev cannot.

Popups are being generated with the following:

javascript:window.opener=null;setTimeout(function(){window.location.href='http://dearerfonder.info/SDl1Q2N3HwEqB3UPRXBReQlTMQYsBERlAipNSHFFPgREbVJ4F0JtVX4fAH5SfwBBIAB/XBR6V30AECYCcABFdFsqCRcnACxbQnVQKh8TMF55HxwlXngfBi5efAhTKF5uSxAlXiBNATNGe3hQcSVtCzM0FD8XFyoXPlARbRAwHEcFBSFVEGZRDltMelctXUVzW3wORXVFK01IdEUrTRZ+Wm5KATBeeR8aMBF1TgI0TSpQATUKLBcGO0U4Sxt+U24='},250)

(As seen on eztv.ag)

|javascript:*setTimeout*location.href$popup

This works well in 2.7.3.4196-beta, just not in current-dev.

Note: See TracTickets for help on using tickets.