Ghostery blocking calls to localhost

ghostery / ghostery-extension

Ghostery Browser Extension for Firefox, Chrome, Opera, Edge and Safari

Mozilla Public License 2.0

1.38k stars 140 forks source link

Ghostery blocking calls to localhost #1037

Closed dvaldivia closed 1 year ago

dvaldivia commented 1 year ago

Description

I'm doing some local development and API calls to localhost are being blocked, but only a select few, mainly

 http://localhost:6006/api/v1/metrics?filters=&deployment_id=7fb3452a-f41a-4b1e-b137-0c1961978977&source=audit

This also happens on Firefox, but Firefox allows me to turn off Ghostery on the "entire site" and things start working, but on Safari it thinks I'm using jwt.io for some reason

Expected Behavior

This used to work just fine

Actual Behavior

calls are getting blocked

Browser: Safari 16.3
OS: macOS 13.2.1
Node:
NPM:

chrmod commented 1 year ago

@GRadziejewski please try to reproduce

GRadziejewski commented 1 year ago

Checked on Safari. I can reproduce the problem. Request is block by Ghostery, when extension is turned off I will receive 404.

When Ghostery is turned on: Screenshot 2023-03-30 at 20 24 49

When Ghostery is turned off: Screenshot 2023-03-30 at 20 25 44

chrmod commented 1 year ago

Those requests are being blocked by Easylist privacy list https://github.com/easylist/easylist/blob/f28e88315b884d16fc169685d32ec37b8696e755/easyprivacy/easyprivacy_general.txt#L66

it may an adblocker bug

philipp-classen commented 1 year ago

I can reproduce, but now I'm no longer sure what the behavior should be in this case.

For testing, I used this dummy page:

<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width" />
    <title>My test page</title>
  </head>
  <body>
    <p>This should show an image with the text "image.png"</p>
    <img src="http://localhost:9876/image.png" alt="My test image" />
    <p>This should also show an image with the text "image.png" (unless blocked)</p>
    <img src="http://localhost:9876/tracking-v1/tracking/image.png?" alt="My test image" />
  </body>
</html>

The path in the second link has been chosen to match -v1/tracking/. Depending on the implementation, the results differ:

Ghostery on Firefox and Chrome (Manifest V2) allows it
Ghostery on Chrome and Safari (Manifest V3) blocks it (I have only tested on Linux, so for Safari I assume it is as on Chrome)
uBlock Origin blocks it

I can think of arguments in both directions.

philipp-classen commented 1 year ago

In the original URL, this rule blocks it: https://github.com/easylist/easylist/blob/f28e88315b884d16fc169685d32ec37b8696e755/easyprivacy/easyprivacy_general.txt#L631

/api/v1/metrics

smalluban commented 1 year ago

The current version supports whitelisting local domains, so you should be able to add the domain to the paused list.

@dvaldivia Please confirm if this solves your problem.

smalluban commented 1 year ago

@dvaldivia Please re-open if the issue still exists.