Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New scriptlet type "simulate-event-poc" #2229

Closed
8 tasks done
dimisa-RUAdList opened this issue Aug 25, 2022 · 52 comments
Closed
8 tasks done

New scriptlet type "simulate-event-poc" #2229

dimisa-RUAdList opened this issue Aug 25, 2022 · 52 comments
Labels
enhancement New feature or request fixed issue has been addressed

Comments

@dimisa-RUAdList
Copy link

Prerequisites

I tried to reproduce the issue when...

  • uBO is the only extension
  • uBO with default lists/settings
  • using a new, unmodified browser profile

Description

New scriptlet type "simulate-event-poc"

A specific URL where the issue occurs

consent.google.com

Steps to Reproduce

Scenario description

European ip is required, for example: Netherlands

Requires incognito mode

Step 1
Opening google.com or google.nl

At this step, a modal window pops up asking us to accept cookies.
This is solved with: www.google.*##+js(abort-current-script, document.getElementById, CONSENT=YES)

Step 2
Opening from the bar menu in the upper right corner of news.google.com or news.google.nl

This step redirects to consent.google.com or consent.google.nl. And this is what needs to be addressed.

Install Adblock Plus and add there: consent.google.com,consent.google.nl#$#simulate-event-poc click button

This rule will automatically click on the reject cookie button. I propose to create a similar scriptlet, only more advanced in terms of targeting. The rule for Adblock Plus has to be made too general for it to work.

Yes, I know that uBlock Origin doesn't resolve cookie issues by default, but third party filters such as EasyList Cookie or BitBlock can resolve these issues. Also, the new scriptlet can be useful in other cases when you need to make a click, without which the actions are frozen.

Expected behavior

unknow

Actual behavior

unknow

uBlock Origin version

uBlock Origin development build 1.44.1b2

Browser name and version

Google Chrome 104.0.5112.102, Firefox 104.0

Operating System and version

Windows 7, macOS Monterey

@peace2000
Copy link
Member

peace2000 commented Aug 25, 2022

GDPR dialogs are as annoying as ads. Maybe even more. This would be very nice indeed.

@peace2000
Copy link
Member

peace2000 commented Aug 25, 2022

Currently, ABP use it two times in their Anti CV list:

https://github.com/abp-filters/abp-filters-anti-cv/blob/master/english.txt

www.linkedin.com#$#simulate-event-poc click 'xpath(//*[text()="Promoted" or text()="Sponsored" or text()="Dipromosikan" or text()="Propagováno" or text()="Promoveret" or text()="Anzeige" or text()="Promocionado" or text()="促銷內容" or text()="Post sponsorisé" or text()="프로모션" or text()="Post sponsorizzato" or text()="广告" or text()="プロモーション" or text()="Treść promowana" or text()="Patrocinado" or text()="Promovat" or text()="Продвигается" or text()="Marknadsfört" or text()="Nai-promote" or text()="ได้รับการโปรโมท" or text()="Öne çıkarılan içerik" or text()="الترويج"]/ancestor::div[@data-id]//video[@autoplay="autoplay"])' 10
~~
! Fallback
www.youtube.com,m.youtube.com,music.youtube.com,youtube-nocookie.com#$#simulate-event-poc click button.ytp-ad-skip-button

I have seen people occasionally complaining (not sure if it was here uBlockOrigin/uAssets#7636 or on Reddit) that uBO has slipped through ads on Youtube. That doesn't happen often but few times that has happened to me too. That kind of "fallback" that they have on Anti CV could maybe help to tackle those randomly slipping through ads.

@gwarser gwarser added the enhancement New feature or request label Aug 25, 2022
@krystian3w
Copy link

krystian3w commented Aug 25, 2022

Dropped long time ago when jspenguin tried fix cookie walls.

uBlockOrigin/uAssets#2099

@Yuki2718
Copy link

Yes, it's a duplicate. Clicker brings whole new class of security risk which can not fully be patched even if limited to privileged list: an attcker who gained partial access to a site and knows uBO auto-clicks an element can exploit this. This is becoming more risky than in past as nowadays even state-sponsored actor tends to combine social-engineering for user's single click. Regarding cookie nug, IMO a scriptlet which should first be introduced will be set-cookie. This solves a lot of currently-unfixable dialog and setting an empty cookie whose name is restricted to be one of pre-defined names is far less risky than auto-click. But gorhill declined this too as is not willing to add something not exist. One reason I love and trust uBO is that he always takes serious consideration of security and privacy before adding a feature. Those who don't and take every nice or convenient feature demanded suffer vulnerability. Prevention is better than cure.

@MasterKia
Copy link
Member

MasterKia commented Aug 27, 2022

Clicker brings whole new class of security risk which can not fully be patched even if limited to privileged list

Those who take every nice or convenient feature demanded suffer vulnerability. Prevention is better than cure.

AdGuard is allowing auto-clicks (e.g. for cookie dialogs) through vanilla JS rules in the trusted lists.

@krystian3w
Copy link

I don't Care about Cookies also have click scripts, so hacker can break popular page if addon is bug free.

@dimisa-RUAdList
Copy link
Author

Another example: https://mcrypto.club/?go=sskN > https://coinsparty.com/sskN

For Adblock Plus: coinsearns.com,mcrypto.club#$#simulate-event-poc click .wpsafelink-button

@gorhill
Copy link
Member

gorhill commented Sep 18, 2022

We will need the concept of trusted lists before we think of allowing such capabilities.

@troysjanda
Copy link

We will need the concept of trusted lists before we think of allowing such capabilities.

Exactly, this can be dangerous to allow auto clicking, or for that matter auto anything. Just my opinion.

@peace2000
Copy link
Member

Imo, actually, if uBO would handle GDPR dialogs, in some cases it could be considered as an act of privacy.

E.g. When you use Google, you'll have to either accept or reject Google's permission to use cookies to show personalized ads.

If uBO would click "Reject all", that would be for the benefit of the user's privacy. It's at least better than "Accept all". Many people might just click "Accept all" without thinking, not knowing that they could also click "Reject all".

kuva

@Yuki2718
Copy link

Yuki2718 commented Apr 10, 2023

Most websites just take none-click (by hiding GDPR notice or not) as acceptance. So it's rather opposite and in fact some people prefer not hiding them because of this. For the security reason we should limit auto-click only on sites no other solution works even if the scriptlet is adopted. Clicking all cookie-notice is security-nightmare.

@peace2000
Copy link
Member

@Yuki2718 I agree.

@krystian3w
Copy link

Using an external tracker will block EP, rather few people know how to write a good module from scratch or rename a piwik/matomo anymore.

@krystian3w
Copy link

krystian3w commented Jun 10, 2023

If ASAP you can write clickers in Polish Cookie Consent:


Possible of clickers:

https://polishannoyancefilters.netlify.app/en/PolishCookieConsent/syntax/

If css selector does not work then was limited to xPath syntax by hawkeye.
For now addon do not scope frames to safe performance of website.

@YoshiTabletopGamer
Copy link

YoshiTabletopGamer commented Oct 15, 2023

See this commit going for the beta gorhill/uBlock@7af88b025d
What happens to the concerns about security issues?
As Yuki (erroneously?) said,

Yes, it's a duplicate. Clicker brings whole new class of security risk which can not fully be patched even if limited to privileged list: an attcker who gained partial access to a site and knows uBO auto-clicks an element can exploit this. This is becoming more risky than in past as nowadays even state-sponsored actor tends to combine social-engineering for user's single click. Regarding cookie nug, IMO a scriptlet which should first be introduced will be set-cookie. This solves a lot of currently-unfixable dialog and setting an empty cookie whose name is restricted to be one of pre-defined names is far less risky than auto-click. But gorhill declined this too as is not willing to add something not exist. One reason I love and trust uBO is that he always takes serious consideration of security and privacy #46 (comment). Those who don't and take every nice or convenient feature demanded suffer vulnerability. Prevention is better than cure.

@YoshiTabletopGamer
Copy link

YoshiTabletopGamer commented Oct 15, 2023

Do not trust Github's search tool
Adguard has had trusted-click-element for more than 10 months, and I found by a search on the filters and it's currently used 8 times. That's less than once a month per filter.

@YoshiTabletopGamer
Copy link

A committer to the Adguard Scriptlets repository had worries too

@YoshiTabletopGamer
Copy link

gorhill once worried about this

I want to think more about this, basically I want to figure what could go wrong by having filters which can automatically click stuff. These make me uncomfortable. My first thought is that this should at least apply only to visible elements. The question to answer is how could this be misused by either filter list maintainers or site owners.

@peace2000
Copy link
Member

gorhill once worried about this

I want to think more about this, basically I want to figure what could go wrong by having filters which can automatically click stuff. These make me uncomfortable. My first thought is that this should at least apply only to visible elements. The question to answer is how could this be misused by either filter list maintainers or site owners.

This comment was made before the concept of "trusted lists". #2229 (comment)

Clicking scriptlet is only allowed in uBO's own internal lists and in the custom filters of a user.

@iam-py-test
Copy link
Contributor

only allowed in uBO's own internal lists

There is still the risk that uBO's lists could be compromised.

@YoshiTabletopGamer
Copy link

If the filterlists were signed, both the (in this case malicious) contributor of a malicious filter and the host would need to collude. This is extremely unlikely if the host is itself trustworthy

@YoshiTabletopGamer
Copy link

It really depends on your threat model

@gorhill
Copy link
Member

gorhill commented Oct 15, 2023

Autoclicking advertisements
Autoclicking the download of some file, trying to trick the user into confirming the download (Firefox has a download confirmation window, unlike Chrome which by default does not) and executing malware

This can already be accomplished by malicious parties without them having to wait for a trusted-click-element injection. They also can write code which auto-click whatever they would want to be auto-clicked. I don't see why you think trusted-click-element creates this scenario, any site can already do this with or without a content blocker involved, and with or without trusted-click-element involved, they have access to the same JS capabilities.

@YoshiTabletopGamer
Copy link

YoshiTabletopGamer commented Oct 15, 2023

I have made the retraction of a particular comment more clear. I saw Yuki's comment, and thought this might be worrying, even though we do not have "concrete" examples (yet).

@YoshiTabletopGamer
Copy link

YoshiTabletopGamer commented Oct 15, 2023

I wonder if @Yuki2718 also forgot about the fact malicious webpages can already use HTMLElement.click().


In short, if your threat model involves the trusted filterlist host altering the trusted filterlists behind the scenes to use trusted events against you, this may be worrying depending on the context.

There are multiple hosts responsible for Ublock Origin's trusted lists (#2229 (comment))

@uBlock-user
Copy link
Contributor

addressed in gorhill/uBlock@7af88b025d

@uBlock-user uBlock-user added the fixed issue has been addressed label Oct 16, 2023
@YoshiTabletopGamer
Copy link

YoshiTabletopGamer commented Oct 16, 2023

I think we would still need to defend its (very low) usage

@Yuki2718
Copy link

I wonder if @Yuki2718 also forgot about the fact malicious webpages can already use HTMLElement.click().

This is why I said partial access.

@YoshiTabletopGamer
Copy link

I wonder if @Yuki2718 also forgot about the fact malicious webpages can already use HTMLElement.click().

This is why I said partial access.

Well, this is the interesting bit. I could not imagine a situation where partial access of a hacker to a website can make Ublock Origin go against itself

@gorhill
Copy link
Member

gorhill commented Oct 16, 2023

@YoshiTabletopGamer
Copy link

YoshiTabletopGamer commented Oct 16, 2023

@Yuki2718, are you in favor of the scriptlet as-it-is? Major websites have been using anti blocker techniques more frequently, and I notice more trusted scriptlets are getting added to Ubo. What do you think? Your comment was the reason I started this conversation. The following is as concrete as I have made it (#2229 (comment))

@YoshiTabletopGamer
Copy link

Or do you believe the concept of a trusted list is enough?

@gorhill
Copy link
Member

gorhill commented Oct 16, 2023

@YoshiTabletopGamer I don't understand the point of your comments. Instead of asking others what they believe, you should rather make the case with proof of concepts of why there are issues with the trusted filter options, then we can talk about something concrete that can be addressed. Both AdGuard and ABP have been supporting trusted-click-element (or equivalent for ABP) long before uBO, so I do feel confident about it in uBO given it has been "road-tested", and because it can only be used by trusted uBO volunteers.

@YoshiTabletopGamer
Copy link

The only "concrete argument" I have against trusted scriptlets is here:

The current hosts and CDNs of the Ublock Origin filter lists

  • Github
  • Cloudflare (pages.dev)
  • jsdelivr
  • statically.io

Can theoretically send malicious filters to users.

With the exception of userResourcesLocation, a supply chain attack used to not be a worry at all when referring to Ublock Origin's filter lists.

Signing filter lists would allow we to be sure, even without looking at them, that the file comes unaltered from the maintainers. Obviously, signing filter lists in a practical manner is something extremely difficult.

@gorhill
Copy link
Member

gorhill commented Oct 16, 2023

Can theoretically send malicious filters to users

That's not specific to uBO, this can happen to all projects hosted on these CDNs.

@YoshiTabletopGamer
Copy link

By malicious, I mean one that can execute arbitrary code*. More specifically, trusted filters being altered by a malicious CDNs to some end users. I believe the most harm a non trusted filter can usually do is deface a website.

@YoshiTabletopGamer
Copy link

I'm not asking you to get rid these filters. They are great. I just noticed that in the past, such attacks (when trusted filters did not exist) were not possible at all. That's my only worry about this.

@gwarser
Copy link

gwarser commented Oct 16, 2023

Firefox simulates click to close cookie dialogs too https://github.com/mozilla/cookie-banner-rules-list#test-rules

@gorhill
Copy link
Member

gorhill commented Oct 16, 2023

I could add an advanced setting allowing whoever to control the trust level, allowing that all trusted filters to be rejected. Eventually maybe a user interface for that control if we can figure an elegant one.

@YoshiTabletopGamer
Copy link

Thank you! Maybe I'm just too paranoid (lol)

@YoshiTabletopGamer
Copy link

I also imagine something like logging all trusted filters ever used in the extension. Although that will probably have performance issues.

@krystian3w
Copy link

krystian3w commented Oct 17, 2023

Filtering the current state is unlikely to be difficult, just save yourself a snapshot of the AdGuard lists, uBo lists and one ABP list and filter by any method (grep in console, Notepad++ in GUI on Windows).

What may be more difficult is to efficiently extract outdated versions of scriptlets from their git history (At the same time, I don't see any use in catching an obsolete method).

@YoshiTabletopGamer
Copy link

What I mean is, hypothetically someone (a high risk user) who wants to use trusted filters can quickly look at all the trusted filters being used and verify they are not malicious

@YoshiTabletopGamer
Copy link

YoshiTabletopGamer commented Oct 17, 2023

You could grep it, sure, but that would envolve downloading multiple lists and searching each one

@YoshiTabletopGamer
Copy link

YoshiTabletopGamer commented Oct 17, 2023

I imagined something like a button in the interface to show in a new window all trusted filters currently active

@iam-py-test
Copy link
Contributor

iam-py-test commented Oct 17, 2023

You could grep it, sure, but that would envolve downloading multiple lists and searching each one

You can search filterlists within uBo, but it has to be done filterlist-by-filterlist
image
You can see all network/cosmetic filters in the uBo devtools (Support panel -> Troubleshooting Information -> More), but scriptlets do not seem to be included.

@gwarser
Copy link

gwarser commented Oct 18, 2023

You could grep it, sure, but that would envolve downloading multiple lists and searching each one

This may help https://github.com/gwarser/filter-lists-tools/blob/master/download-assets.json-all.sh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request fixed issue has been addressed
Projects
None yet
Development

No branches or pull requests