Opened on 09/16/2018 at 02:02:17 PM
Closed on 09/26/2018 at 02:19:53 PM
Last modified on 03/07/2019 at 10:05:14 AM
#6953 closed defect (fixed)
Domain-based whitelisting does not work in data URI frames
Reported by: | mjethani | Assignee: | mjethani |
---|---|---|---|
Priority: | P3 | Milestone: | Adblock-Plus-3.5-for-Chrome-Opera-Firefox |
Module: | Platform | Keywords: | |
Cc: | sebastian, kzar | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | yes | Confidential: | no |
Tester: | Unknown | Verified working: | yes |
Review URL(s): |
Description (last modified by mjethani)
Environment
ABP 3.3.2 on Chrome
How to reproduce
Load the following web page in the browser:
<img src="https://imgs.xkcd.com/comics/word_puzzles.png"> <script> document.addEventListener("DOMContentLoaded", () => { let f = document.createElement("iframe"); f.src = "data:text/html;base64,PGltZyBzcmM9Imh0dHBzOi8vaW1ncy54a2NkLmNvbS9jb21pY3Mvd29yZF9wdXp6bGVzLnBuZyI+Cg=="; //f.srcdoc = '<img src="https://imgs.xkcd.com/comics/word_puzzles.png">'; document.body.appendChild(f); }); </script>
Now add the filters xkcd and @@$document,domain=localhost (change localhost to the domain the page is loaded from) and reload the page.
Observed behaviour
The image is loaded in the top frame but not in the subframe.
Expected behaviour
The image should be loaded in both the top frame and the subframe.
Additional notes
Anonymous frames using a data: URI combined with sitekeys is a technique I am investigating for some types of whitelisting. This needs to work correctly.
The issue is that, just like about: frames, the onComitted for data: frames happens too late, so the frame object for the image request is not available at the time when checkWhitelisted is called. Upon further investigation, the real issue is that onComitted doesn't even get the parent frame's ID, and onHeadersReceived is not fired for about: and data: frames.
Hints for testers
Whitelisting as described in the "How to reproduce" section should work for both about: and data: frames. For testing about: frames, uncomment the //f.srcdoc = line and comment out the previous line.
Attachments (0)
Change History (8)
comment:1 Changed on 09/16/2018 at 02:02:40 PM by mjethani
- Cc sebastian kzar added
comment:3 Changed on 09/26/2018 at 01:08:55 PM by sebastian
- Priority changed from Unknown to P3
- Ready set
comment:4 Changed on 09/26/2018 at 02:17:35 PM by abpbot
comment:5 Changed on 09/26/2018 at 02:19:53 PM by mjethani
- Milestone set to Adblock-Plus-for-Chrome-Opera-Firefox-next
- Resolution set to fixed
- Status changed from new to closed
comment:8 Changed on 03/07/2019 at 10:05:14 AM by ukacar
- Verified working set
A commit referencing this issue has landed:
Issue 6953 - Update frame structure for data URI frames