favicon leaks

[ghost]

Hi,

I have not success to block favicon request with umatrix. An specific option block this kind of request?

example attached.

[uBlock-user]

Not a bug,

Add archive.fo archive.fo image block

Favicons are images, so blocking images for the specific domain blocks favicons too.

[gorhill]

Closing and marking as invalid, as per CONTRIBUTING.

[gorhill]

• No browser version.
• No clear, detailed steps to reproduce.
• Nobody should have to transcribe text from pictures.
• Pics are for complementary information: no primary information provided about what are the pics are showing.

[ghost]

well,

1. Linux Firefox 57 (last pic user agent)
2. open your brower, enter http://archive.is, click in umatrix and open logger, back to the tab archive.is an enter for ex: google.com, go back to the logger and see how favicon is red (suppose to be blocked) but if you view the source page is not, more, if you run tcpdump or wireshark can view the request.
3. there is nothing to transcribe, is a practical example
4. pics self explain the problem, but is you need text is here

[gorhill]

Properly transcribing into detailed steps to reproduce:

• Launch FF57 (no tab should load)
• Open browser console (ctrl-j)
• Open uMatrix logger
• Ensure matrix filtering is enabled in behind-the-scene scope and all is blocked
• Open new tab for http://archive.is
• Enter google.com into "My url is alive and I want to archive its content"
• Observe in logger: http://www.google.com/s2/favicons is red (meaning blocked)
• Observe in browser console: GET http://www.google.com/s2/favicons

[gorhill]

Observation: I followed the code up to Firefox's own code:

resource://gre/modules/MessageChannel.jsm, line 740:

response :
    messageName : "1390-0"
    recipient : {}
    result : 0
    value : {...}
    cancel : true <<<<<<<

uMatrix properly tells webext API to cancel the request. However, uMatrix's response seems to be disregarded by Firefox.

[gwarser]

Firefox / webextension limitation?

Firefox downloads favicons behind the scene -> webextensions not work for behind the scene requests.

[gorhill]

Browser bug. I created a minimal extension to block anything with favicon in it, and this is the output of the browser console after trying various links, with only that one extension installed:

11:37:35.843 blocking tabId=-1 requestId=18 url=https://jb-rubinovitz.ghost.io/favicon.ico  background.js:8:9
11:37:35.875 onErrorOccurred: favicon request: 18  background.js:37:9
11:37:37.074 GET https://jb-rubinovitz.ghost.io/favicon.ico [HTTP/2.0 200 OK 19ms]
11:38:42.854 GET https://news.ycombinator.com/favicon.ico [HTTP/2.0 200 OK 15ms]
11:39:10.865 blocking tabId=-1 requestId=160 url=https://assets.guim.co.uk/images/favicons-garnett/ac43fe9507600081b58760450f518d07/152x152.png  background.js:8:9
11:39:10.866 blocking tabId=-1 requestId=161 url=https://assets.guim.co.uk/images/favicons-garnett/48bc5564bb01b74cf7cd1a08ae0dd98e/32x32.ico  background.js:8:9
11:39:10.870 onErrorOccurred: favicon request: 160  background.js:37:9
11:39:10.871 onErrorOccurred: favicon request: 161  background.js:37:9
11:39:12.295 GET https://assets.guim.co.uk/images/favicons-garnett/48bc5564bb01b74cf7cd1a08ae0dd98e/32x32.ico [HTTP/2.0 200 OK 37ms]
11:39:35.712 blocking tabId=-1 requestId=322 url=https://www.hetzner.com/themes/hetzner/images/favicons/apple-touch-icon.png  background.js:8:9
11:39:35.713 blocking tabId=-1 requestId=323 url=https://www.hetzner.com/themes/hetzner/images/favicons/favicon-16x16.png  background.js:8:9
11:39:35.715 onErrorOccurred: favicon request: 322  background.js:37:9
11:39:35.715 onErrorOccurred: favicon request: 323  background.js:37:9
11:39:40.486 GET https://www.hetzner.com/themes/hetzner/images/favicons/favicon-16x16.png [HTTP/1.1 200 OK 113ms]
11:39:57.752 blocking tabId=-1 requestId=370 url=https://daverupert.com/favicon.ico  background.js:8:9
11:39:57.757 onErrorOccurred: favicon request: 370  background.js:37:9
11:40:00.095 GET https://daverupert.com/favicon.ico[HTTP/1.1 200 OK 45ms]

Two types of error are seen:

• Sometimes the tabId === -1 requests are not submitted to webRequest listeners, hence these can't be blocked/reported by an extension.
• When the requests are submitted, Firefox disregards the order to block them.

The bug will have to be reported to Firefox devs: https://bugzilla.mozilla.org/.

Here are the steps:

• Launch Firefox 57.0.4 with no tab opened.
  • about:config settings:
    • network.dns.disablePrefetch = true
    • network.predictor.enabled = false
    • network.prefetch-next = false
    • network.http.speculative-parallel-limit = 0
  • I have Firefox set to delete cache/cookies when closing Firefox.
• Go to about:debugging, load temporary minimalist extension: https://gist.github.com/gorhill/81e01119f78dac46ead5b8ba0c34bf18 (save locally both files in a new folder).
• Open browser console (ctrl-j), filter output with favicon. be sure "Net" and "Logging" are enabled.
• Open a new tab, load https://news.ycombinator.com/.
  • Reported in console:
    • GET https://news.ycombinator.com/favicon.ico
  • Nothing logged by the extension, suggesting the request was not submitted to webRequest listeners.
• Open a new tab, load https://spreadprivacy.com/privacy-simplified/
  • Reported in console:
    • GET https://spreadprivacy.com/favicon.png
  • Nothing logged by the extension, suggesting the request was not submitted to webRequest listeners.
• Open a new tab, load https://about.gitlab.com/2018/01/22/gitlab-10-4-released/
  • Reported in console:
    • blocking tabId=-1 requestId=757 url=https://about.gitlab.com/ico/favicon-192x192.png blocking tabId=-1 requestId=758 url=https://about.gitlab.com/ico/favicon-32x32.png onErrorOccurred: favicon request: 757 onErrorOccurred: favicon request: 758 GET https://about.gitlab.com/ico/favicon-32x32.png
    • Extension canceled the requests, confirmed by onErrorOccurred listener, yet the browser console shows that a network request was still made for one of the favicon.

[ghost]

Not a great solution, but you can disable firefox favicon request by about:config: browser.chrome.favicons = false browser.chrome.site_icons = false

[Cerberus-tm]

Interesting. So this isn't related to the other browser bug, where you can't block stuff 'behind the scenes' any more in FF 57+?

[Atavic]

This browser bug means that Firefox follows the link on rel="shortcut icon" to get the icon. Then is it added to the cache in places.sqlite.

This is a privacy issue and a potential security problem: unique ETag values can be added to these images.

[gorhill]

Can somebody report it please? I posted all the information and repro steps above.

[Atavic]

Favicons aren't standardized. The icons are provided in different dimensions and the browser must reduce them to 16x16 or 32x32 after they are retrieved. Maybe this allows to bypass uM restrictions?

@gorhill by report do you mean to open an issue on bugzilla? There are some issues for favicons and most are latent or ignored.

One issue for the android browser (where favicon is loaded with the browser ignoring the proxy settings) has been "resolved" with the idea that a system proxy should be set, instead of the proxy settings within the browser.

[ArchangeGabriel]

@Atavic And? If no-one reports it, it’s not going to be fixed.

[Thorin-Oakenpants]

@gorhill What is the title for the bug? I assume the content for the bug will be everything after Here are the steps:? i.e if no one else will post the bug then I will

[Cerberus-tm]

@Thorin-Oakenpants Oh, I was about to post the bug.

[Cerberus-tm]

I've posted the bug here: https://bugzilla.mozilla.org/show_bug.cgi?id=1433700 I'm a total layman, so I may have reported it improperly. I've never reported a bug before.

[Thorin-Oakenpants]

@Cerberus-tm .. If you've already reported it, no problems, and yes please, tell us the bugzilla number (triage will fix any issues with categorizing the bug) - also add a link to this issue in the bug if you can for reference. The title can always be amended if its not descriptive enough :)

[Cerberus-tm]

@Thorin-Oakenpants All done! See above.

[uBlock-user]

Can no longer reproduce. Aformentioned bugzilla bug has also been fixed for some time.

[gorhill]

Fixed in Firefox 58, as per https://bugzilla.mozilla.org/show_bug.cgi?id=1433700.