#6954 closed defect (invalid)

Domain-based whitelisting does not work for content filtering in subframes

Reported by: mjethani Assignee:
Priority: P2 Milestone:
Module: Platform Keywords:
Cc: sebastian, kzar Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description (last modified by mjethani)

Environment

ABP 3.3.2 on Chrome

How to reproduce

Host the following document on foo.com:

<!-- foo.com/test.html -->
<img src="https://imgs.xkcd.com/comics/word_puzzles.png">
<iframe src="http://bar.com/test.html"></iframe>

Host the following document on bar.com:

<!-- bar.com/test.html -->
<img src="https://imgs.xkcd.com/comics/word_puzzles.png">

Add the filters ##img and @@$document,domain=bar.com.

Now load foo.com/test.html in the browser.

Observed behaviour

All images are hidden.

Expected behaviour

The image in the subframe bar.com/test.html should be visible because of the second filter.

Additional notes

This code in lib/whitelisting.js:

    while (frame)
    {
      let parentFrame = frame.parent;
      let filter = match(page, frame.url, typeMask,
                         extractHostFromFrame(parentFrame, originUrl),
                         getKey(page, frame, originUrl));
      
      ...

It goes straight to the parent frame. This works for blocking filters because we look at the hostname in the initiator property as a fallback (so it only works incidentally and not necessarily because the logic is correct), but we don't do this for content filters.

Change History (5)

comment:1 Changed 12 months ago by mjethani

  • Description modified (diff)

comment:2 Changed 12 months ago by sebastian

  • Owner set to sebastian
  • Priority changed from Unknown to P2
  • Ready set

Good catch! This is quite bad. I'd still like to have it fixed with 3.4.

comment:3 Changed 12 months ago by sebastian

  • Owner sebastian deleted
  • Ready unset

Wait! I first thought that this might have been a regression of #6543. But it seems the behavior was the same before, and on second thought the behavior seems to be correct. The $domain option refers to the parent document. So @@$document,domain=bar.com means: Whitelist any document (and all of it's sub-resources) that is loaded in a frame on another document with the domain bar.com.

comment:4 Changed 11 months ago by mjethani

Alright, that makes sense. It's not a bug then.

comment:5 Changed 11 months ago by mjethani

  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.