Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#4866 closed defect (fixed)

Regression with CSP based blocking since the switch to frame-src

Reported by: Lain_13 Assignee: kzar
Priority: P1 Milestone: Adblock-Plus-1.13-for-Chrome-Opera
Module: Platform Keywords:
Cc: kzar, mapx, sebastian, trev, Ross, rraceanu Blocked By:
Blocking: Platform: Chrome
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

https://codereview.adblockplus.org/29377728/

Description (last modified by kzar)

Environment

Adblock Plus development build 1.12.4.1725
Google Chrome 56.0.2924.87 (Official Build) (64-bit)

Issue doesn't reproduce on:
Adblock Plus 1.12.4

How to reproduce

  1. Add RU AdList filters.
  2. Add whitelist (to disable hiding filters):
    #@#.da_adp_teaser
    #@#.directadvert-block
    sibnet.ru#@#.header__topline
    
  3. Open http://sibnet.ru and wait 1 second

Observed behaviour

Ads appears at the top of the page.

Expected behaviour

Ads blocked.

Notes

Since the switch to frame-src from the deprecated child-src directive we've started allowing SharedWorkers created with blob URLs. For a demonstration browse to http://csp.kzar.co.uk and look at the console messages.

Unfortunately since worker-src is not yet supported I think we'll have to revert back to child-src.

Attachments (1)

sibnet-partial-decode.js (9.2 KB) - added by Lain_13 3 years ago.
Partially deobfuscated sibnet.ru code

Download all attachments as: .zip

Change History (19)

Changed 3 years ago by Lain_13

Partially deobfuscated sibnet.ru code

comment:1 Changed 3 years ago by mapx

  • Cc kzar mapx added

comment:2 Changed 3 years ago by Lain_13

BTW, with stable ABP I see 2 error messages:

www.sibnet.ru/:205 Refused to create a worker from 'blob:http://www.sibnet.ru/0eaad1cc-4776-4fbd-b9d1-ec0ce86e8f1f' because it violates the following Content Security Policy directive: "child-src http: https:".

_0x7203x16.(anonymous function) @ www.sibnet.ru/:205
www.sibnet.ru/:205 Uncaught DOMException: Failed to construct 'SharedWorker': Access to the script at 'blob:http://www.sibnet.ru/0eaad1cc-4776-4fbd-b9d1-ec0ce86e8f1f' is denied by the document's Content Security Policy.
    at HTMLScriptElement._0x7203x16.(anonymous function) (http://www.sibnet.ru/:205:5774)

They doesn't appear with dev version. WS connection doesn't appear either, though. Probably due to being initiated from a SharedWorked which doesn't belong to any specific page.

comment:3 Changed 3 years ago by kzar

  • Cc sebastian added
  • Component changed from Unknown to Platform
  • Description modified (diff)

I can't reproduce this as described with Chrome Version 56.0.2924.87 (64-bit) and Adblock Plus built from current master. Are there any steps to reproduce that I'm missing?

(Sounds like it might have been either caused by the change in #4770, or a duplicate of #4807 which is still waiting review.)

comment:4 follow-up: Changed 3 years ago by Lain_13

Try to use RuAdList+EasyList in case you used RU AdList only. I expected it to be there by default.

According to changelog #4807 is not yet included in the dev build 1.12.4.1725. #4770 looks like a likely culprit to me. Especially because child-src were dropped (even though it still works) frame-src doesn't cover workers and worker-src isn't supported yet and wasn't implemented. It clearly leaves workers free from being blocked by CSP.

Not sure why you can't reproduce it, though. As I understand CSP in #4807 is only applied to actual scripts loaded from the web. Am I wrong and it's applied to blobs as well? In that case it's the reason why connection is blocked in the master build and we won't need worker-src support at all and can leave #4770 as-is.

BTW, I'd really like to see #4807 in the public dev builds.

Last edited 3 years ago by Lain_13 (previous) (diff)

comment:5 in reply to: ↑ 4 Changed 3 years ago by kzar

Replying to Lain_13:

Try to use RuAdList+EasyList in case you used RU AdList only. I expected it to be there > by default.

Yes, I'm using that. Still not able to reproduce this problem however :/

BTW, I'd really like to see #4807 in the public dev builds.

Yea me too, but it's currently blocked by review unfortunately.

comment:6 follow-up: Changed 3 years ago by Lain_13

I think to reproduce you have to use the same build as I am. I mean publicly available dev build. As I understand your build includes #4807 and something else.

I've tried to apply change done in #4807 locally, but it doesn't seem to work here even though it works fine at pesnik.su. Well, looks like this CSP isn't applied to blobs after all and have nothing to do with the regression I experience.

Last edited 3 years ago by Lain_13 (previous) (diff)

comment:7 Changed 3 years ago by Lain_13

Dimisa reported similar issue to uBO since it also was affected and gorhill fixed it somehow: https://github.com/gorhill/uBlock/commit/a742f09dd4ba37d748c962bed171ddd84bf046ea
Not sure if it would be helpful in any way in this case.

comment:8 in reply to: ↑ 6 Changed 3 years ago by kzar

Replying to Lain_13:

As I understand your build includes #4807 and something else.

No it doesn't.

I'll try again to reproduce this when I get a chance but so far I'm still not able to.

comment:9 Changed 3 years ago by Lain_13

I've tested this on latest version of Vivaldi browser: 1.7.735.46 (Stable channel) (32-bit)
without any additional extensions and/or user scripts to make sure it isn't due to some interference from a third-party extension or my script. I got exactly the same results. With stable ABP versions ads are blocked. With dev-build - shared workers created and ads are shown.

comment:10 Changed 3 years ago by kzar

I still can't reproduce this problem. Does it still happen for you with 1.12.4.1738? If so are the steps in the description correct?

comment:11 Changed 3 years ago by Lain_13

Hm... Strange, I'm sure I've posted proper set of filters before, but now I see 1 of filters is different on my side. Could you please check with sibnet.ru#@#.header__topline instead of sibnet.ru#@##right_place_wrapper?

comment:12 Changed 3 years ago by kzar

  • Description modified (diff)

comment:13 Changed 3 years ago by kzar

  • Cc trev added
  • Description modified (diff)
  • Milestone set to Adblock-Plus-1.13-for-Chrome-Opera
  • Owner set to kzar
  • Priority changed from Unknown to P1
  • Ready set
  • Summary changed from Possible regression in dev-version of ABP for Chrome on sibnet.ru to Regression with CSP based blocking since the switch to frame-src

Thanks, can now reproduce this. This is a regression from the previous release so marking as P1.

comment:14 Changed 3 years ago by kzar

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:15 Changed 3 years ago by abpbot

A commit referencing this issue has landed:
Issue 4866 - Add the child-src CSP directive back again for now

comment:16 Changed 3 years ago by kzar

  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:17 Changed 3 years ago by kzar

  • Cc Ross rraceanu added

FYI Ross / Robert - This small change just landed, which has undone the work in #4770, which caused problems. Unfortunately we've had to do this now despite the feature freeze. Please make sure you're now testing with the latest dev build.

The only thing this change affects is special CSP filters such as *$websocket,domain=kzar.co.uk which are used to block WebSockets in places that our content scripts aren't run. Anything else you've tested already doesn't need to be re-tested.

comment:18 Changed 3 years ago by Ross

  • Tester changed from Unknown to Ross
  • Verified working set

Fixed. Could not reproduce regression described above and kzar's CSP test page appears to work as expected.

ABP 1.12.4.1739
Chrome 49 / 56 / Windows 10
Chrome 56 / OS X 10.12
Chrome 56 / Ubuntu 16.04
Opera 37 / 41 / Windows 7
Safari 10 / OS X 10.12

Note: See TracTickets for help on using tickets.