Opened on 09/10/2018 at 12:58:30 PM
Closed on 08/29/2019 at 05:43:52 PM
#6939 closed defect (rejected)
No-TLD restriction for content filters does not work if there's at least one non-TLD
| Reported by: | mjethani | Assignee: | mjethani |
|---|---|---|---|
| Priority: | P3 | Milestone: | |
| Module: | Core | Keywords: | closed-in-favor-of-gitlab |
| Cc: | hfiguiere, sebastian | Blocked By: | #7121 |
| Blocking: | Platform: | Unknown / Cross platform | |
| Ready: | yes | Confidential: | no |
| Tester: | Unknown | Verified working: | no |
| Review URL(s): | |||
Description (last modified by mjethani)
Environment
ABP 3.3.1 on Chrome, macOS 10.12.6
How to reproduce
- Add the filter com,example.com#$#log 'Hello, .com!'
- Load example.com in a new tab
- Open the DevTools console for the tab
- Load eyeo.com in a new tab
- Open the DevTools console for the tab
Observed behaviour
In both steps 3 and 5, you see "Hello, .com!" printed to the console
Expected behaviour
Since com isn't a valid domain as per the restrictions (which may be changed as part of resolving this issue, by the way), it should consistently not be allowed in element hiding emulation and snippet filters. At the very least the filter should not be applied on unrelated domains like eyeo.com. Even better, the filter should be considered invalid.
Additional notes
The no-TLD restriction doesn't work for suffixes like .co.in, for example, nor does it work for filters like com,example.com#$#bad-snippet as this issues shows.
There are a couple of ways to address this:
- Add an additional check for TLDs in ContentFilter.fromText; this additional check would reject any filters containing a TLD, like the one in this issue (unless it's localhost, see #6931); unfortunately this would also likely slow down the loading of the filters.
- Don't check for TLDs in ContentFilter.fromText, but instead, do one of the following: (1) do the check at the time of looking up the filters in Snippets.getFiltersForDomain, etc.; (2) check for well-known public suffixes instead, also in Snippets.getFiltersForDomain, etc; (3) don't check anything anywhere.
Also see ticket:6773#comment:13
Attachments (0)
Change History (10)
comment:1 Changed on 09/10/2018 at 12:59:06 PM by mjethani
- Cc hfiguiere sebastian added
comment:3 Changed on 09/10/2018 at 05:03:54 PM by mjethani
- Priority changed from Unknown to P3
- Ready set
comment:5 Changed on 11/15/2018 at 09:33:34 PM by mjethani
- Blocked By 7121 added
comment:6 Changed on 11/15/2018 at 09:38:41 PM by mjethani
By the way, I also had an alternative implementation of extracting the base domain based on the public suffix list.
comment:7 Changed on 03/17/2019 at 06:49:50 AM by mjethani
- Owner set to mjethani
comment:8 Changed on 07/09/2019 at 02:49:42 PM by mjethani
We have moved the public suffix list into Core (#7121). But we can't check for *.com because the generated publicSuffixList.json does not include com (even though it is part of Mozilla's public suffix list).
I shall think about this, but any ideas are welcome.
comment:9 Changed on 07/09/2019 at 05:46:19 PM by sebastian
If there is no entry in publicSuffixList.json, the last part of the domain (or the whole domain if it doesn't include a dot) is considered the TLD (or public suffix).
comment:10 Changed on 08/29/2019 at 05:43:52 PM by sebastian
- Keywords closed-in-favor-of-gitlab added
- Resolution set to rejected
- Status changed from new to closed
Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.
This could be fixed after #7121.