cosmetic filters in about:blank iframe

[krystian3w]

Apester - Interactive content

Prerequisites

• I verified that this is not a filter issue
  • Filter issues MUST be reported at filter issue tracker
• This is not a support issue or a question
  • Support issues and questions are handled at /r/uBlockOrigin
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
• I tried to reproduce the issue when...
  • uBlock Origin is the only extension
  • uBlock Origin with default lists/settings
  • using a new, unmodified browser profile
• I am running the latest version of uBlock Origin
• I checked the documentation to understand that the issue I report is not a normal behavior

Description

How block social in iframes now?

A specific URL where the issue occurs

https://itsfoss.com/end-of-floppy-disk-in-linux/

old metods down...:

apester.com,itsfoss.com##[class^="StyledShareProviderButtons"].ProviderIcons, [class^="StyledShareProviderButtons"].ProvidersText

I no prefere AdGuard Annoyance filter:

||apester.com^$third-party

Steps to reproduce

• open https://itsfoss.com/end-of-floppy-disk-in-linux/
• scroll to the end of article
• finish quiz or click on the arrow in frame top right corner
• try hiding social icons and subtitle

[mapx-]

I get no such stuff, however you already have a working filter (adguard one)

[gwarser]

StyledShareProviderButton - without 's' at the end. wait a sec.

@mapx- its in the quiz at the end of article

---

about:blank iframe

[krystian3w]

I try block ony 3 elements no all widget.

[mapx-]

||images.apester.com/user-images*.gif$image,domain=itsfoss.com

[liamengland1]

That will block other assets used by the iframe, how about ||images.apester.com/user-images%2F*%2F*.gif

Facebook icon: https://images.apester.com/user-images%2Fee%2Feebc3aaa9ad3157935316990e7547c67.gif
Twitter icon: https://images.apester.com/user-images%2Fb8%2Fb81daaab56b92112c7d1cae2a256c249.gif

[uBlock-user]

I no prefere AdGuard Annoyance filter:

what's wrong with ||apester.com^$third-party ?

[krystian3w]

Remove all plugin form site. In the past possible remove 3 elements form last "slide".

Now only two with network filter if names of files are stable.

[gwarser]

@gorhill how to cosmetically hide elements in about:blank iframe?

In this case:

• open https://itsfoss.com/end-of-floppy-disk-in-linux/
• scroll to the end of article
• finish quiz or click on the arrow in frame top right corner
• try hiding social icons and subtitle

[gorhill]

I would need to fix uBO's code to use match_about_blank and further add code to lookup context from the first ancestor window which is not about:blank.

[mapx-]

@gorhill
how to cosmetically hide elements in about:blank iframe moved here (uBlock issues)

[gwarser]

This still does not work in quiz frame on https://itsfoss.com/end-of-floppy-disk-in-linux/,

• open https://itsfoss.com/end-of-floppy-disk-in-linux/
• scroll to the end of article
• click on the arrow in frame top right corner
• try hiding social icons and subtitle

[gorhill]

But that is just gorhill/uBlock#1744?

[gwarser]

I tried manually adding:

itsfoss.com##.shareProviderButton
##.shareProviderButton
itsfoss.com##.share-providers-button
##.share-providers-button
itsfoss.com##.shareOverlay
##.shareOverlay

[gorhill]

Specific cosmetic filters should work with latest commit, but there is still an issue which I need to investigate, the mutation observer does not work in the about:blank frame in test case above. This means generic cosmetic filters and logging cosmetic filters does not work in the above test case. I don't know the reason for why the mutation observer does not work.

I found AdGuard seems to suffer the same issue as well -- it does not report the cosmetic filters in its logger for the test case above.

[gorhill]

I don't know the reason for why the mutation observer does not work.

The page uses document.open() to create a new document in the iframe -- that would be the reason for the mutation observer ceasing to work.

[krystian3w]

#688 (comment)

but for some reason Google bar need CSS - This could be another threat that someone would do a similar advertising mechanism and you would have to start using more scriptlets.

[gorhill]

but for some reason Google bar need CSS

Please open a distinct issue for this with repro steps (I don't know what is "Google bar"), the issue here is for about:blank.

[gwarser]

It seems to be fixed by gorhill/uBlock@8d3c491

Can you check?

Generic filters still don't work.

[raszpl]

I was reading https://palant.info/2020/12/10/how-anti-fingerprinting-extensions-tend-to-make-fingerprinting-easier/ and came upon an example

console.log(screen.width);
Object.defineProperty(Screen.prototype, "width", {value: 1280});
console.log(screen.width);
var frame = document.createElement("iframe");
document.body.appendChild(frame);
console.log(screen.width, frame.contentWindow.screen.width);

producing:

1920
1280
1280 1920

in gorhill/uBlock#1740 I found @gorhill
":[1] It's a solution I have considered in the past: to make the content scripts able to inject themselves into source-less iframes. This is already sort-of done by injected scriptlets, they will propagate to source-less child frames."

Does this mean scriptlets should be injecting into about:blank iFrames? Has this worked in the past? I cant get this to work. I can see in Chrome devtools about:blank iFrame context has uBO listed as injected, but my scriptlet is not executed.

/// myscriptlet.js 
Object.defineProperty(Screen.prototype, "width", {value: 1280});

defined at userResourcesLocation, My filters: "*##+js(myscriptlet)".

console.log(screen.width);
var frame = document.createElement("iframe");
document.body.appendChild(frame);
console.log(screen.width, frame.contentWindow.screen.width);

produces:

1280
1280 1920

suggesting myscriptlet is injected into the main page, but not the about:blank iFrame

[gorhill]

Your scriptlet can't be injected at document_start, so there will always be a delay before your scriptlet code execute. You will have to check the value later, not immediately after inserting the iframe.

[raszpl]

I watched a movie, came back and results are still the same. I tested old chrome 77 with uBO v1.30.6 just to be sure, still same result. I tried something different

var frame = document.createElement("iframe");
var html = '<body><script>alert(1)</script>Content</body>';
frame.src = 'data:text/html;charset=utf-8,' + encodeURI(html);
document.body.appendChild(frame)

uBlock didnt inject in this iframe at all (going by Chrome devtools console "javascript context" dropdown), not sure if its meant to since I googled up whatwg/html#1753. It did inject into srcdoc variant

var frame = document.createElement("iframe");
frame.srcdoc = '<body><script>alert(1)</script>Content</body>'
document.body.appendChild(frame)

still no scriptlet injections.

One of the scriptlets I use for a long time starts with
console.log("something here ",location.href)
and I have a vague recollection of seeing it report about:blank as the source while debugging some popup happy websites long time ago, but I cant find/replicate it now. My question is - is my assumption that scriptlets are meant to be injected into about: iframes correct?

[gwarser]

@raszpl are you using this filter with wildcard (specific-generic) *##+js(myscriptlet)?

Does not work on localhost:8080 for some reason.

I also tried with following filters and injecting is not reported in logger on localhost:8080, but works on example.com. Version with localhost instead of * works fine.

*##+js(test)
*##+js(nobab)

test -> https://gist.githubusercontent.com/gwarser/63ab7869174bb2f0880361bf9719bd0b/raw/6bd71b1feba0498221a7abd3c4a17e39febbc42d/test.js

[source not relevant]

[gorhill]

Can't inject in data: or srcdoc` iframe, this is a known extension API limitation.

[gwarser]

Specific-generic scriptlets do not work on "TLD domain only" websites, localhost for example, but there are few in the wild - http://pn/? I'm sure there are more. scriptletDB.retrieve fails to retrieve any scriptlet? hostnameToSlotIdMap.get() called with empty string instead of *?

---

Fixed in gorhill/uBlock@b22cf24

[raszpl]

@gwarser

but works on example.com

are you saying your *##+js(test) reports "about:blank" after

var frame = document.createElement("iframe");
document.body.appendChild(frame);

?

[gwarser]

I did not checked embedded contexts. *##+js... scriptlet was not injected at all in my test on localhost.

[gwarser]

This does not work at all in Chrome? (Is this about this Chrome bug [edit: new way of injecting into blank frames] I cannot find now?)

Testing *##+js(test) on https://gistcdn.rawgit.org/gwarser/dcea28c77bf2f6cb1c77229a92509b33/be97d8483cb0fdbb69af87b4295b905722685b98/frames.html

Firefox 86: uBO rc2 logger shows three injections and console logs page, blank and srcdoc.

Chrome 87.0.4280.88: only one injection, only page address logged.

[gorhill]

Is this about this Chrome bug I cannot find now?

No, scriptlets are injected differently in Chromium, at webNavigation.onCommitted time (code), and the information received in such case is not the effective URL, it's just about:blank, in which case uBO bails out.

[gwarser]

Ok, now only rawgit.org##+js(test) is not injected into srcdoc but specific-generic works fine.

It's after gorhill/uBlock@8d3c491, so rather expected.

[raszpl]

@gwarser

This does not work at all in Chrome?

Thank you for confirmation, I was beginning to think I was going crazy.

and gorhill/uBlock@990cff5 thank you @gorhill for quick fix :o
I didnt even know about the test builds :( checking v1.31.3rc3 now:
https://gistcdn.rawgit.org/gwarser/dcea28c77bf2f6cb1c77229a92509b33/be97d8483cb0fdbb69af87b4295b905722685b98/frames.html

*##+js(myscriptlet)

myscriptlet  https://gistcdn.rawgit.org/gwars...05722685b98/frames.html
myscriptlet  about:blank
myscriptlet  about:srcdoc

Works great now.

[gorhill]

not injected into srcdoc but specific-generic works fine

Maybe I can come up with a fix for this in next dev cycle.

[raszpl]

srcdoc did work for me
Edit: oh, I get it. *##+js... works for srcdoc , but targeted filters wont fire. nvm

[gorhill]

Closing as obsolete. Fixes were made and it's unclear if and what are the other issues left if any -- too many comments about various other stuff. Open clearly detailed and well narrow issues if there is still something to fix, and these have to be issues with real world implications.