Regression with CSP based blocking since the switch to frame-src

[Lain_13]

Environment

Adblock Plus development build 1.12.4.1725
Google Chrome 56.0.2924.87 (Official Build) (64-bit)

Issue doesn't reproduce on:
Adblock Plus 1.12.4

How to reproduce

1. Add RU AdList filters.
2. Add whitelist (to disable hiding filters):

   #@#.da_adp_teaser
   #@#.directadvert-block
   sibnet.ru#@#.header__topline
   

3. Open ​http://sibnet.ru and wait 1 second

Observed behaviour

Ads appears at the top of the page.

Expected behaviour

Ads blocked.

Notes

Since the switch to frame-src from the deprecated child-src directive we've started allowing SharedWorkers created with blob URLs. For a demonstration browse to ​http://csp.kzar.co.uk and look at the console messages.

Unfortunately since worker-src is not yet supported I think we'll have to revert back to child-src.

[Lain_13]

Partially deobfuscated sibnet.ru code

[Lain_13]

BTW, with stable ABP I see 2 error messages:

www.sibnet.ru/:205 Refused to create a worker from 'blob:http://www.sibnet.ru/0eaad1cc-4776-4fbd-b9d1-ec0ce86e8f1f' because it violates the following Content Security Policy directive: "child-src http: https:".

_0x7203x16.(anonymous function) @ www.sibnet.ru/:205
www.sibnet.ru/:205 Uncaught DOMException: Failed to construct 'SharedWorker': Access to the script at 'blob:http://www.sibnet.ru/0eaad1cc-4776-4fbd-b9d1-ec0ce86e8f1f' is denied by the document's Content Security Policy.
    at HTMLScriptElement._0x7203x16.(anonymous function) (http://www.sibnet.ru/:205:5774)

They doesn't appear with dev version. WS connection doesn't appear either, though. Probably due to being initiated from a SharedWorked which doesn't belong to any specific page.

[kzar]

I can't reproduce this as described with Chrome Version 56.0.2924.87 (64-bit) and Adblock Plus built from current master. Are there any steps to reproduce that I'm missing?

(Sounds like it might have been either caused by the change in #4770, or a duplicate of #4807 which is still waiting review.)

[Lain_13]

Try to use RuAdList+EasyList in case you used RU AdList only. I expected it to be there by default.

According to changelog #4807 is not yet included in the dev build 1.12.4.1725. #4770 looks like a likely culprit to me. Especially because child-src were dropped (even though it still works) frame-src doesn't cover workers and worker-src isn't supported yet and wasn't implemented. It clearly leaves workers free from being blocked by CSP.

Not sure why you can't reproduce it, though. As I understand CSP in #4807 is only applied to actual scripts loaded from the web. Am I wrong and it's applied to blobs as well? In that case it's the reason why connection is blocked in the master build and we won't need worker-src support at all and can leave #4770 as-is.

BTW, I'd really like to see #4807 in the public dev builds.

[kzar]

Replying to Lain_13:

Try to use RuAdList+EasyList in case you used RU AdList only. I expected it to be there > by default.

Yes, I'm using that. Still not able to reproduce this problem however :/

BTW, I'd really like to see #4807 in the public dev builds.

Yea me too, but it's currently blocked by review unfortunately.

[Lain_13]

I think to reproduce you have to use the same build as I am. I mean publicly available dev build. As I understand your build includes #4807 and something else.

I've tried to apply change done in #4807 locally, but it doesn't seem to work here even though it works fine at pesnik.su. Well, looks like this CSP isn't applied to blobs after all and have nothing to do with the regression I experience.

[Lain_13]

Dimisa reported similar issue to uBO since it also was affected and gorhill fixed it somehow: ​https://github.com/gorhill/uBlock/commit/a742f09dd4ba37d748c962bed171ddd84bf046ea
Not sure if it would be helpful in any way in this case.

[kzar]

Replying to Lain_13:

As I understand your build includes #4807 and something else.

No it doesn't.

I'll try again to reproduce this when I get a chance but so far I'm still not able to.

[Lain_13]

I've tested this on latest version of Vivaldi browser: 1.7.735.46 (Stable channel) (32-bit)
without any additional extensions and/or user scripts to make sure it isn't due to some interference from a third-party extension or my script. I got exactly the same results. With stable ABP versions ads are blocked. With dev-build - shared workers created and ads are shown.

[kzar]

I still can't reproduce this problem. Does it still happen for you with 1.12.4.1738? If so are the steps in the description correct?

[Lain_13]

Hm... Strange, I'm sure I've posted proper set of filters before, but now I see 1 of filters is different on my side. Could you please check with sibnet.ru#@#.header__topline instead of sibnet.ru#@##right_place_wrapper?

[kzar]

Thanks, can now reproduce this. This is a regression from the previous release so marking as P1.

[abpbot]

A commit referencing this issue has landed:
​Issue 4866 - Add the child-src CSP directive back again for now

[kzar]

FYI Ross / Robert - This small change just landed, which has undone the work in #4770, which caused problems. Unfortunately we've had to do this now despite the feature freeze. Please make sure you're now testing with the latest dev build.

The only thing this change affects is special CSP filters such as *$websocket,domain=kzar.co.uk which are used to block WebSockets in places that our content scripts aren't run. Anything else you've tested already doesn't need to be re-tested.

[Ross]

Fixed. Could not reproduce regression described above and kzar's CSP test page appears to work as expected.

ABP 1.12.4.1739
Chrome 49 / 56 / Windows 10
Chrome 56 / OS X 10.12
Chrome 56 / Ubuntu 16.04
Opera 37 / 41 / Windows 7
Safari 10 / OS X 10.12