Opened on 03/03/2017 at 05:39:31 PM

Closed on 03/22/2017 at 06:51:50 AM

Last modified on 04/18/2019 at 08:36:20 AM

#4953 closed defect (fixed)

CSP injected for whitelisted websites

Reported by: mapx Assignee: kzar
Priority: P2 Milestone: Adblock-Plus-1.13.3-for-Chrome-Opera
Module: Platform Keywords:
Cc: kzar, sebastian, trev Blocked By:
Blocking: Platform: Chrome
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

Description (last modified by kzar)


w10,, chrome Version 57.0.2987.88 beta (64-bit)

How to reproduce

  1. Whitelist the domain
  2. Browse to

Observed behaviour

An error occurs: "Embed blocked! This error was triggered from Openload's anti abuse mechanism"

Expected behaviour

The error does not occur.


This happens since we've injected a CSP for the page, which prevents Object elements having a non HTTP/S URL. See Issue 4643 - Prevent WebSocket circumvention via object elements.

To avoid this we need to ensure the page isn't whitelisted before injecting our CSP.

Hints for testers

  1. Test a filter which injects a CSP still works and blocks WebSocket connections. Ideally on a real website but if not there's a test page you can use.
  2. Then whitelist the domain, refresh the page and ensure that the CSP is no longer injected and WebSocket connections are no longer blocked.
  3. Then un-whitelist the domain, refresh again and ensure they are blocked again.

Attachments (0)

Change History (6)

comment:1 Changed on 03/08/2017 at 01:40:07 PM by kzar

  • Cc trev added
  • Description modified (diff)
  • Owner set to kzar
  • Priority changed from Unknown to P2
  • Ready set
  • Summary changed from ABP breaks video site to CSP injected for whitelisted websites

This is not a regression since the last release IMO, we already were injecting a CSP in this situation it's just that it didn't happen to trigger's (current) detection logic.

IIRC Sebastian and I decided this situation didn't matter too much, but perhaps it does. I've opened a review, but even if it gets pushed it will be after the release.

comment:2 Changed on 03/08/2017 at 01:42:42 PM by kzar

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:3 Changed on 03/08/2017 at 03:14:31 PM by mapx

the whitelisting issue is secondary.

The main issue is that error you get in the dev build but not in the stable build.

Embed blocked!
This error was triggered from Openload's anti abuse mechanism

tested also in uBo ==> no such error (even disabling their special filters from ublock filters or disabling uBo extra)

comment:4 Changed on 03/22/2017 at 06:48:04 AM by abpbot

A commit referencing this issue has landed:
Issue 4953 - Ensure website isn't whitelisted before injecting CSP

comment:5 Changed on 03/22/2017 at 06:51:50 AM by kzar

  • Description modified (diff)
  • Milestone set to Adblock-Plus-for-Chrome-Opera-next
  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:6 Changed on 07/06/2017 at 12:11:28 PM by Ross

  • Tester changed from Unknown to Ross
  • Verified working set

Done. Possible to whitelist/unwhitelist filters that inject a CSP.

Chrome 49 / 59 / Windows 7
Opera 36 / 45 / Windows 7

Add Comment

Modify Ticket

Change Properties
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from kzar.
Note: See TracTickets for help on using tickets.