Opened on 02/06/2017 at 05:13:51 PM
Closed on 03/02/2017 at 04:01:40 AM
Last modified on 03/13/2017 at 09:04:38 AM
#4866 closed defect (fixed)
Regression with CSP based blocking since the switch to frame-src
Reported by: | Lain_13 | Assignee: | kzar |
---|---|---|---|
Priority: | P1 | Milestone: | Adblock-Plus-1.13-for-Chrome-Opera |
Module: | Platform | Keywords: | |
Cc: | kzar, mapx, sebastian, trev, Ross, rraceanu | Blocked By: | |
Blocking: | Platform: | Chrome | |
Ready: | yes | Confidential: | no |
Tester: | Ross | Verified working: | yes |
Review URL(s): |
Description (last modified by kzar)
Environment
Adblock Plus development build 1.12.4.1725
Google Chrome 56.0.2924.87 (Official Build) (64-bit)
Issue doesn't reproduce on:
Adblock Plus 1.12.4
How to reproduce
- Add RU AdList filters.
- Add whitelist (to disable hiding filters):
#@#.da_adp_teaser #@#.directadvert-block sibnet.ru#@#.header__topline
- Open http://sibnet.ru and wait 1 second
Observed behaviour
Ads appears at the top of the page.
Expected behaviour
Ads blocked.
Notes
Since the switch to frame-src from the deprecated child-src directive we've started allowing SharedWorkers created with blob URLs. For a demonstration browse to http://csp.kzar.co.uk and look at the console messages.
Unfortunately since worker-src is not yet supported I think we'll have to revert back to child-src.
Attachments (1)
Change History (19)
Changed on 02/06/2017 at 05:14:18 PM by Lain_13
comment:1 Changed on 02/06/2017 at 09:39:28 PM by mapx
- Cc kzar mapx added
comment:2 Changed on 02/07/2017 at 03:09:09 AM by Lain_13
BTW, with stable ABP I see 2 error messages:
www.sibnet.ru/:205 Refused to create a worker from 'blob:http://www.sibnet.ru/0eaad1cc-4776-4fbd-b9d1-ec0ce86e8f1f' because it violates the following Content Security Policy directive: "child-src http: https:". _0x7203x16.(anonymous function) @ www.sibnet.ru/:205 www.sibnet.ru/:205 Uncaught DOMException: Failed to construct 'SharedWorker': Access to the script at 'blob:http://www.sibnet.ru/0eaad1cc-4776-4fbd-b9d1-ec0ce86e8f1f' is denied by the document's Content Security Policy. at HTMLScriptElement._0x7203x16.(anonymous function) (http://www.sibnet.ru/:205:5774)
They doesn't appear with dev version. WS connection doesn't appear either, though. Probably due to being initiated from a SharedWorked which doesn't belong to any specific page.
comment:3 Changed on 02/07/2017 at 06:57:35 AM by kzar
- Cc sebastian added
- Component changed from Unknown to Platform
- Description modified (diff)
comment:4 follow-up: ↓ 5 Changed on 02/07/2017 at 07:39:38 AM by Lain_13
Try to use RuAdList+EasyList in case you used RU AdList only. I expected it to be there by default.
According to changelog #4807 is not yet included in the dev build 1.12.4.1725. #4770 looks like a likely culprit to me. Especially because child-src were dropped (even though it still works) frame-src doesn't cover workers and worker-src isn't supported yet and wasn't implemented. It clearly leaves workers free from being blocked by CSP.
Not sure why you can't reproduce it, though. As I understand CSP in #4807 is only applied to actual scripts loaded from the web. Am I wrong and it's applied to blobs as well? In that case it's the reason why connection is blocked in the master build and we won't need worker-src support at all and can leave #4770 as-is.
BTW, I'd really like to see #4807 in the public dev builds.
comment:5 in reply to: ↑ 4 Changed on 02/07/2017 at 08:35:32 AM by kzar
Replying to Lain_13:
Try to use RuAdList+EasyList in case you used RU AdList only. I expected it to be there > by default.
Yes, I'm using that. Still not able to reproduce this problem however :/
BTW, I'd really like to see #4807 in the public dev builds.
Yea me too, but it's currently blocked by review unfortunately.
comment:6 follow-up: ↓ 8 Changed on 02/07/2017 at 09:17:51 AM by Lain_13
I think to reproduce you have to use the same build as I am. I mean publicly available dev build. As I understand your build includes #4807 and something else.
I've tried to apply change done in #4807 locally, but it doesn't seem to work here even though it works fine at pesnik.su. Well, looks like this CSP isn't applied to blobs after all and have nothing to do with the regression I experience.
comment:7 Changed on 02/07/2017 at 01:39:32 PM by Lain_13
Dimisa reported similar issue to uBO since it also was affected and gorhill fixed it somehow: https://github.com/gorhill/uBlock/commit/a742f09dd4ba37d748c962bed171ddd84bf046ea
Not sure if it would be helpful in any way in this case.
comment:9 Changed on 02/08/2017 at 09:51:10 AM by Lain_13
I've tested this on latest version of Vivaldi browser: 1.7.735.46 (Stable channel) (32-bit)
without any additional extensions and/or user scripts to make sure it isn't due to some interference from a third-party extension or my script. I got exactly the same results. With stable ABP versions ads are blocked. With dev-build - shared workers created and ads are shown.
comment:10 Changed on 03/01/2017 at 04:45:04 AM by kzar
I still can't reproduce this problem. Does it still happen for you with 1.12.4.1738? If so are the steps in the description correct?
comment:11 Changed on 03/01/2017 at 08:35:56 AM by Lain_13
Hm... Strange, I'm sure I've posted proper set of filters before, but now I see 1 of filters is different on my side. Could you please check with sibnet.ru#@#.header__topline instead of sibnet.ru#@##right_place_wrapper?
comment:12 Changed on 03/01/2017 at 09:02:19 AM by kzar
- Description modified (diff)
comment:13 Changed on 03/01/2017 at 10:26:47 AM by kzar
- Cc trev added
- Description modified (diff)
- Milestone set to Adblock-Plus-1.13-for-Chrome-Opera
- Owner set to kzar
- Priority changed from Unknown to P1
- Ready set
- Summary changed from Possible regression in dev-version of ABP for Chrome on sibnet.ru to Regression with CSP based blocking since the switch to frame-src
Thanks, can now reproduce this. This is a regression from the previous release so marking as P1.
comment:14 Changed on 03/01/2017 at 10:41:58 AM by kzar
- Review URL(s) modified (diff)
- Status changed from new to reviewing
comment:15 Changed on 03/02/2017 at 03:59:49 AM by abpbot
A commit referencing this issue has landed:
Issue 4866 - Add the child-src CSP directive back again for now
comment:16 Changed on 03/02/2017 at 04:01:40 AM by kzar
- Resolution set to fixed
- Status changed from reviewing to closed
comment:17 Changed on 03/02/2017 at 04:11:03 AM by kzar
- Cc Ross rraceanu added
FYI Ross / Robert - This small change just landed, which has undone the work in #4770, which caused problems. Unfortunately we've had to do this now despite the feature freeze. Please make sure you're now testing with the latest dev build.
The only thing this change affects is special CSP filters such as *$websocket,domain=kzar.co.uk which are used to block WebSockets in places that our content scripts aren't run. Anything else you've tested already doesn't need to be re-tested.
comment:18 Changed on 03/13/2017 at 09:04:38 AM by Ross
- Tester changed from Unknown to Ross
- Verified working set
Fixed. Could not reproduce regression described above and kzar's CSP test page appears to work as expected.
ABP 1.12.4.1739
Chrome 49 / 56 / Windows 10
Chrome 56 / OS X 10.12
Chrome 56 / Ubuntu 16.04
Opera 37 / 41 / Windows 7
Safari 10 / OS X 10.12
Partially deobfuscated sibnet.ru code