Allowlist awswaf.com

[tadk-amazon]

Hi,

I am a member of the Amazon AWS WAF team. We are reaching out to see if it's possible to preemptively add the domain used by our CAPTCHA and challenge services (described here: https://docs.aws.amazon.com/waf/latest/developerguide/waf-captcha-and-challenge.html) to the EasyList allowlist. The domain awswaf.com is used to serve our Javascript SDK which is embedded into customers' web pages. We have received reports before where awswaf.com was added to some of the major ad-blocking lists (such as EasyList) which resulted in blocking access to/breaking websites using our SDK.

I've looked over the policies for EasyList and EasyPrivacy. For EasyList, allowlisting the entire awswaf.com domain looks like it would suffice. With EasyPrivacy, for transparency, it looks like our telemetry (*/telemetry) and error reporting (*/report) endpoints would still need to be blocked, since they appear to go against some of the policy.

Our domain is not currently blocked on either list, but we wish to reduce the chances of it being mistakenly added later on and causing unintended side effects across all of the websites that use our SDK by reaching out to see about allowlisting.

Thanks

[ryanbr]

Can you see why blocking ||awswaf.com^*/telemetry broke on https://tvtropes.org/ ?

https://github.com/uBlockOrigin/uAssets/issues/21805

[tadk-amazon]

That was due to a bug where if any network requests, including the /telemetry request, were blocked, the whole SDK would break. That bug has been fixed for a couple months now.

[tadk-amazon]

Hi, I see the commit above only further blocks the */telemetry endpoint on EasyPrivacy, which is fine and expected. What it doesn't do is completely address this ask which was also about explicitly allowlisting awswaf.com on the base EasyList. Our concern is that if the whole awswaf.com later gets added to EasyList for whatever reason, it would break any website using AWS WAF's bot mitigation offering in ways that would be unclear to end users. Some ways this could manifest to end users:

• Loading a website could show a blank page due to blocked script loads. This is different than JS being disabled completely which would show the content of <noscript> tags
• Access denial messages when attempting to load a website
• A website's CAPTCHA simply not appearing and preventing forms from being submitted

This would result in very poor user experience and not everyone would immediately try disabling their adblocker, if they even are aware of how to do so.