Opened 6 months ago

Closed 6 months ago

Last modified 2 weeks ago

#6953 closed defect (fixed)

Domain-based whitelisting does not work in data URI frames

Reported by: mjethani Assignee: mjethani
Priority: P3 Milestone: Adblock-Plus-3.5-for-Chrome-Opera-Firefox
Module: Platform Keywords:
Cc: sebastian, kzar Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: yes Confidential: no
Tester: Unknown Verified working: yes
Review URL(s):

https://codereview.adblockplus.org/29882555/

Description (last modified by mjethani)

Environment

ABP 3.3.2 on Chrome

How to reproduce

Load the following web page in the browser:

<img src="https://imgs.xkcd.com/comics/word_puzzles.png">

<script>
document.addEventListener("DOMContentLoaded", () =>
{
  let f = document.createElement("iframe");
  f.src = "data:text/html;base64,PGltZyBzcmM9Imh0dHBzOi8vaW1ncy54a2NkLmNvbS9jb21pY3Mvd29yZF9wdXp6bGVzLnBuZyI+Cg==";
  //f.srcdoc = '<img src="https://imgs.xkcd.com/comics/word_puzzles.png">';
  document.body.appendChild(f);
});
</script>

Now add the filters xkcd and @@$document,domain=localhost (change localhost to the domain the page is loaded from) and reload the page.

Observed behaviour

The image is loaded in the top frame but not in the subframe.

Expected behaviour

The image should be loaded in both the top frame and the subframe.

Additional notes

Anonymous frames using a data: URI combined with sitekeys is a technique I am investigating for some types of whitelisting. This needs to work correctly.

The issue is that, just like about: frames, the onComitted for data: frames happens too late, so the frame object for the image request is not available at the time when checkWhitelisted is called. Upon further investigation, the real issue is that onComitted doesn't even get the parent frame's ID, and onHeadersReceived is not fired for about: and data: frames.

Hints for testers

Whitelisting as described in the "How to reproduce" section should work for both about: and data: frames. For testing about: frames, uncomment the //f.srcdoc = line and comment out the previous line.

Change History (8)

comment:1 Changed 6 months ago by mjethani

  • Cc sebastian kzar added

comment:2 Changed 6 months ago by mjethani

  • Review URL(s) modified (diff)

comment:3 Changed 6 months ago by sebastian

  • Priority changed from Unknown to P3
  • Ready set

comment:4 Changed 6 months ago by abpbot

A commit referencing this issue has landed:
Issue 6953 - Update frame structure for data URI frames

comment:5 Changed 6 months ago by mjethani

  • Milestone set to Adblock-Plus-for-Chrome-Opera-Firefox-next
  • Resolution set to fixed
  • Status changed from new to closed

comment:6 Changed 6 months ago by mjethani

  • Description modified (diff)

comment:7 Changed 6 months ago by mjethani

  • Description modified (diff)

comment:8 Changed 2 weeks ago by ukacar

  • Verified working set
Note: See TracTickets for help on using tickets.