Opened 3 years ago

Closed 3 years ago

Last modified 8 months ago

#4953 closed defect (fixed)

CSP injected for whitelisted websites

Reported by: mapx Assignee: kzar
Priority: P2 Milestone: Adblock-Plus-1.13.3-for-Chrome-Opera
Module: Platform Keywords:
Cc: kzar, sebastian, trev Blocked By:
Blocking: Platform: Chrome
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

https://codereview.adblockplus.org/29378831/

Description (last modified by kzar)

Environment

w10, 1.12.4.1739, chrome Version 57.0.2987.88 beta (64-bit)

How to reproduce

  1. Whitelist the domain openload.io
  2. Browse to http://openload.io/f/fBC9VSLbmWU

Observed behaviour

An error occurs: "Embed blocked! This error was triggered from Openload's anti abuse mechanism"

Expected behaviour

The error does not occur.

Notes

This happens since we've injected a CSP for the page, which prevents Object elements having a non HTTP/S URL. See Issue 4643 - Prevent WebSocket circumvention via object elements.

To avoid this we need to ensure the page isn't whitelisted before injecting our CSP.

Hints for testers

  1. Test a filter which injects a CSP still works and blocks WebSocket connections. Ideally on a real website but if not there's a test page http://csp.kzar.co.uk you can use.
  2. Then whitelist the domain, refresh the page and ensure that the CSP is no longer injected and WebSocket connections are no longer blocked.
  3. Then un-whitelist the domain, refresh again and ensure they are blocked again.

Change History (6)

comment:1 Changed 3 years ago by kzar

  • Cc trev added
  • Description modified (diff)
  • Owner set to kzar
  • Priority changed from Unknown to P2
  • Ready set
  • Summary changed from ABP 1.12.4.1739 breaks video site to CSP injected for whitelisted websites

This is not a regression since the last release IMO, we already were injecting a CSP in this situation it's just that it didn't happen to trigger openload.io's (current) detection logic.

IIRC Sebastian and I decided this situation didn't matter too much, but perhaps it does. I've opened a review, but even if it gets pushed it will be after the release.

comment:2 Changed 3 years ago by kzar

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:3 Changed 3 years ago by mapx

the whitelisting issue is secondary.

The main issue is that error you get in the dev build but not in the stable build.

Embed blocked!
This error was triggered from Openload's anti abuse mechanism

tested also in uBo ==> no such error (even disabling their special filters from ublock filters or disabling uBo extra)

comment:4 Changed 3 years ago by abpbot

A commit referencing this issue has landed:
Issue 4953 - Ensure website isn't whitelisted before injecting CSP

comment:5 Changed 3 years ago by kzar

  • Description modified (diff)
  • Milestone set to Adblock-Plus-for-Chrome-Opera-next
  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:6 Changed 2 years ago by Ross

  • Tester changed from Unknown to Ross
  • Verified working set

Done. Possible to whitelist/unwhitelist filters that inject a CSP.

ABP 1.13.2.1785
Chrome 49 / 59 / Windows 7
Opera 36 / 45 / Windows 7

Note: See TracTickets for help on using tickets.