Opened 2 years ago

Closed 2 years ago

Last modified 19 months ago

#6953 closed defect (fixed)

Domain-based whitelisting does not work in data URI frames

Reported by: mjethani Assignee: mjethani
Priority: P3 Milestone: Adblock-Plus-3.5-for-Chrome-Opera-Firefox
Module: Platform Keywords:
Cc: sebastian, kzar Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: yes Confidential: no
Tester: Unknown Verified working: yes
Review URL(s):

https://codereview.adblockplus.org/29882555/

Description (last modified by mjethani)

Environment

ABP 3.3.2 on Chrome

How to reproduce

Load the following web page in the browser:

<img src="https://imgs.xkcd.com/comics/word_puzzles.png">

<script>
document.addEventListener("DOMContentLoaded", () =>
{
  let f = document.createElement("iframe");
  f.src = "data:text/html;base64,PGltZyBzcmM9Imh0dHBzOi8vaW1ncy54a2NkLmNvbS9jb21pY3Mvd29yZF9wdXp6bGVzLnBuZyI+Cg==";
  //f.srcdoc = '<img src="https://imgs.xkcd.com/comics/word_puzzles.png">';
  document.body.appendChild(f);
});
</script>

Now add the filters xkcd and @@$document,domain=localhost (change localhost to the domain the page is loaded from) and reload the page.

Observed behaviour

The image is loaded in the top frame but not in the subframe.

Expected behaviour

The image should be loaded in both the top frame and the subframe.

Additional notes

Anonymous frames using a data: URI combined with sitekeys is a technique I am investigating for some types of whitelisting. This needs to work correctly.

The issue is that, just like about: frames, the onComitted for data: frames happens too late, so the frame object for the image request is not available at the time when checkWhitelisted is called. Upon further investigation, the real issue is that onComitted doesn't even get the parent frame's ID, and onHeadersReceived is not fired for about: and data: frames.

Hints for testers

Whitelisting as described in the "How to reproduce" section should work for both about: and data: frames. For testing about: frames, uncomment the //f.srcdoc = line and comment out the previous line.

Change History (8)

comment:1 Changed 2 years ago by mjethani

  • Cc sebastian kzar added

comment:2 Changed 2 years ago by mjethani

  • Review URL(s) modified (diff)

comment:3 Changed 2 years ago by sebastian

  • Priority changed from Unknown to P3
  • Ready set

comment:4 Changed 2 years ago by abpbot

A commit referencing this issue has landed:
Issue 6953 - Update frame structure for data URI frames

comment:5 Changed 2 years ago by mjethani

  • Milestone set to Adblock-Plus-for-Chrome-Opera-Firefox-next
  • Resolution set to fixed
  • Status changed from new to closed

comment:6 Changed 2 years ago by mjethani

  • Description modified (diff)

comment:7 Changed 2 years ago by mjethani

  • Description modified (diff)

comment:8 Changed 19 months ago by ukacar

  • Verified working set
Note: See TracTickets for help on using tickets.