Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First-party domain blocking #14134

Closed
pilgrim-brave opened this issue Feb 12, 2021 · 18 comments · Fixed by brave/brave-core#7952
Closed

First-party domain blocking #14134

pilgrim-brave opened this issue Feb 12, 2021 · 18 comments · Fixed by brave/brave-core#7952

Comments

@pilgrim-brave
Copy link

pilgrim-brave commented Feb 12, 2021

Other third-party blocking tools allow filter list authors to block the top-level, first-party request. This is useful when a page is overall harmful, but doesn’t fit SafeBrowsing’s threat model. It’s also useful as a defense-in-depth against phishing, bounce tracking, etc.

Brave currently does not have this capability. We don’t currently have a flexible way of saying “this page shouldn’t be loaded / given first-party storage”. The current way of doing this is SafeBrowsing (which we don’t control / fork) or rules that still load the page, but block all sub resources (i.e. https://*$domain=evil.org). Neither of these provide the security and privacy benefits of blocking the initial page load (e.g. inline scripts, bounce tracking, etc).

An implementation should

  • Display the domain being blocked
  • Allow user to proceed (to the requested page) or go back (to the previous page)
  • Cause zero network requests before the user decides to proceed
  • Allow user to create a permanent exception for the domain
@stephendonner
Copy link

Hi @pilgrim-brave - would you be able to help QA by devising a mini test-plan to put in brave/brave-core#7952, for us to key off?

I see the cases in https://github.com/brave/brave-core/blob/34f21675d82ed24168d057b69735ffb5f47cab07/browser/brave_shields/domain_block_page_browsertest.cc; if those would work for us, to test manually, can you help take a few examples of them and distill them into step-by-step tests?

And can you confirm they are in Adblock Plus filter format via brave://adblock (https://adblockplus.org/filter-cheatsheet)?

Thanks! 🙏

(ccing: @brave/legacy_qa and setting QA/Blocked, just until we're able to sync up on a good test-plan for this 🤜 🤛 )

@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue and removed QA/Blocked labels Mar 16, 2021
@stephendonner
Copy link

stephendonner commented Mar 16, 2021

Verified PASSED with the following simple steps from brave/brave-core#7952 (review) and brave/brave-core#7952 (comment), with build

Brave 1.23.41 Chromium: 89.0.4389.90 (Official Build) nightly (x86_64)
Revision 62eb262cdaae9ef819aadd778193781455ec7a49-refs/branch-heads/4389@{#1534}
OS macOS Version 11.2.3 (Build 20D91)

Default blocking

  1. new profile
  2. loaded 1-1ads.com and others, below, from the list https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
  3. confirmed I got Suspicious site ahead warnings for each
1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
Screen Shot 2021-03-16 at 2 35 31 PM Screen Shot 2021-03-16 at 2 35 51 PM Screen Shot 2021-03-16 at 2 35 45 PM Screen Shot 2021-03-16 at 2 35 41 PM Screen Shot 2021-03-16 at 2 35 35 PM

Toggled Enable domain blocking to Disabled

  1. new profile
  2. loaded 1-1ads.com and others from the list https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
  3. confirmed I got Suspicious site ahead warning, as above
  4. went to brave://flags and toggled Enable domain blocking from Default to Disabled
  5. restarted Brave
  6. loaded 1-1ads.com, adapt.tv, zzhc.vnet.cn and others

Confirmed I got no interstitial pages, and was served the site (or not) as it exists/doesn't.

1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
Screen Shot 2021-03-16 at 2 18 55 PM Screen Shot 2021-03-16 at 2 26 19 PM Screen Shot 2021-03-16 at 2 27 03 PM Screen Shot 2021-03-16 at 2 31 52 PM Screen Shot 2021-03-16 at 2 27 59 PM

Verification passed on

Brave | 1.23.56 Chromium: 89.0.4389.105 (Official Build) dev (64-bit)
-- | --
Revision | 14f44e21a9d539cd49c72468a29bfca4fa43f710-refs/branch-heads/4389_90@{#7}
OS | Windows 10 OS Version 2004 (Build 19041.867)

Verified PASSED with the following simple steps from brave/brave-core#7952 (review) and brave/brave-core#7952 (comment)

Enable domain blocking = Default

  1. new profile
  2. loaded 1-1ads.com and others, below, from the list https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
  3. confirmed I got Suspicious site ahead warnings for each
1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
image image image image image

Enable domain blocking = Disabled

  1. new profile
  2. loaded 1-1ads.com and others from the list https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
  3. confirmed I got Suspicious site ahead warning, as above
  4. went to brave://flags and toggled Enable domain blocking from Default to Disabled
  5. restarted Brave
  6. loaded 1-1ads.com, adapt.tv, zzhc.vnet.cn and others

Confirmed I got no interstitial pages, and was served the site (or not) as it exists/doesn't.

1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
image image image image image

Verified passed with

Brave	1.23.63 Chromium: 89.0.4389.114 (Official Build) beta (64-bit)
Revision	1ea76e193b4fadb723bfea2a19a66c93a1bc0ca6-refs/branch-heads/4389@{#1616}
OS	Linux

Used brave/brave-core#7952 (review) and brave/brave-core#7952 (comment) as guide as above.

Default blocking

  1. new profile
  2. loaded 1-1ads.com and others, below, from the list https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
  3. confirmed I got Suspicious site ahead warnings for each
  4. Confirmed "Go Back" button worked as expected
  5. Confirmed "Proceed" button worked as expected
  6. Confirmed checkbox worked as expected
1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
1-1ads actionsplash adapt tv pub chez zzhc

Toggled Enable domain blocking to Disabled

  1. new profile
  2. loaded 1-1ads.com and others from the list https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
  3. confirmed I got Suspicious site ahead warning, as above
  4. went to brave://flags and toggled Enable domain blocking from Default to Disabled
  5. restarted Brave
  6. loaded 1-1ads.com, adapt.tv, zzhc.vnet.cn and others

Confirmed I got no interstitial pages, and was served the site (or not) as it exists/doesn't.

1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
1 2 3 4 5

@stephendonner stephendonner added QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Mar 16, 2021
@pes10k
Copy link
Contributor

pes10k commented Mar 17, 2021

Howdy @karenkliu , @antonok-edm noticed that there are different designs used in a previous version of this issue (#8559). Just wanted to check if the designs in this version all look 👍 (and the designs in #8559 are out of date) or if changes are needed here

@karenkliu
Copy link

@pes10k It's the reverse; the designs in this version are out of date. It should look like this:

Desktop:
image

Mobile:
image

Missing front-end engineering support on this. We still haven't done the umbrella issue for interstitial pages: brave/brave-ios#483 That's why the designs in this version are out of date too.

@pes10k
Copy link
Contributor

pes10k commented Mar 17, 2021

I see, thanks @karenkliu. Would it be okay to go forward with the current, implemented design, and then update the UI for this feature in the future, we the "update all the interstitials" issue is tackled?

@karenkliu
Copy link

@pes10k NO! 😠 . Just kidding 😆 Yeah, this has to be the approach for all the design system-related debt that needs to be tackled one piece at a time. Implemented design seems fine for now.

@LaurenWags
Copy link
Member

@pes10k noticed the umbrella issue you referenced is for iOS (brave/brave-ios#483) and there is #7464 for Android, but is there one for desktop?

@pes10k
Copy link
Contributor

pes10k commented Mar 18, 2021

@LaurenWags I don't think there is currently a separate issue for desktop. @karenkliu, do you know if there is there a similar plan to revamp the desktop interstitials too?

@karenkliu
Copy link

@pes10k @LaurenWags The interstitials should be the same across all platforms. I believe they're done in plain HTML/CSS so Android and desktop can share #7464 ?

@LaurenWags
Copy link
Member

cool, thanks @karenkliu - when I looked at #7464 it didn't have the OS/Desktop label and I didn't want to assume everything would be the same.

@karenkliu
Copy link

@LaurenWags I think it was just missed - thanks for checking - I added the label just now!

@srirambv
Copy link
Contributor

srirambv commented Apr 7, 2021

Verification passed on OnePlus 6T with Android 10 running 1.23.63 x64 build

Enable domain blocking set to Default
  • Verified Enable domain blocking set to default on a clean install shows Suspicious site ahead interstitial page
1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
image image image image image
Enable domain blocking set to Disabled
  • Verified Enable domain blocking set to disabled doesn't show any interstitial page
1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
image image image image image

Verification passed on Samsung Tab A with Android 10 running 1.23.63 x64 build

Enable domain blocking set to Default
  • Verified Enable domain blocking set to default on a clean install shows Suspicious site ahead interstitial page
1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
image image image image image
Enable domain blocking set to Disabled
  • Verified Enable domain blocking set to disabled doesn't show any interstitial page
1-1ads.com actionsplash.com adapt.tv pub.chez.com zzhc.vnet.cn
image image image image image

@LaurenWags
Copy link
Member

re-labeling as release-notes/exclude as this feature has been turned off in Release Channel with #15149

@bsclifton
Copy link
Member

bsclifton commented Apr 14, 2021

@LaurenWags do you know when are we wanting this to "ship"? (ex: would we potentially include release notes for this in the future?)

I know we can flip on using variations - but there may be some other work we'd like to include before it's live across the board (ex: #15189). Wasn't sure if there was a date attached

@pes10k
Copy link
Contributor

pes10k commented May 18, 2021

@bsclifton apologies on the delay replying here, but the current plan is:

  1. Ship domain blocking, on by default, but only applied in "aggressive" blocking mode (this is the interstitial approach). This is shipped in nightly and beta.
  2. @goodov is working on Implement 1p Ephemeral Storage Functionality (functionality) #15906, which will allow us to "bounce" through untrusted / privacy harming 1p sites, without giving them access to storage. This is still under development, but when it ships, it'll be on by default when ad blocking is in default or aggressive modes, and applied to any origin / request labeled for domain blocking
  3. @pilgrim-brave is working on Incorporate "debouncing" lists as part of top-level domain blocking #15090, which will allow Brave to automatically bypass known bounce trackers, but grabbing destination URLs out of a URL (from query params, etc), and visiting the dest URL instead of the bounce tracker (e.g., if we saw https://bounce-tracker.com?dest=https%3A%2F%2Fdest.com, Brave would know to never visit bounce-tracker.com, and instead go straight to https://dest.com). This will also be on by default, and applied in default and aggressive modes.

This is also tracked on this board: https://github.com/brave/brave-browser/projects/41#card-58260630

Hope thats all clarifying, at least a bit, happy to explain / spec / say more too if it'd be helpful :)

@marekciupak
Copy link

marekciupak commented Sep 13, 2023

Has this been introduced in iOS as well? 🤔

It works for me on Linux desktop but it doesn't work on iOS.

@pes10k
Copy link
Contributor

pes10k commented Sep 13, 2023

@marekciupak yes, this is currently only supported on Desktop and Android, though support on iOS is planned for this year

@marekciupak
Copy link

@pes10k thank you for a quick answer! I really appreciate that. Do you know if there any place where I can follow the progress of introducing it to iOS? Any issue or ticket?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants