search

schomery / policy-control

A browser extension to allow first-party resources with exceptions!
http://add0n.com/policy-control.html
31 stars 11 forks source link

[bug report] same origin domain sources being blocked as 3rd party #15

Closed ghost closed 6 years ago

ghost commented 6 years ago

PC setting block 3rd party

there a numerous/repeated cases where PC (0.3.3 FF 56/58/59 on Win 7 64bit) is blocking scripts from the same domain origin. One example https://medium.com with the PC logs showing blocked scripts:

Type URL script https://cdn-static-1.medium.com/_/fp/gen-js/main-base.bundle._pctrygFYi2E_MOQxdrPaA.js
script https://cdn-static-1.medium.com/_/fp/gen-js/main-base.bundle._pctrygFYi2E_MOQxdrPaA.js

To my humble understanding those are not 3rd party and thus should not be blocked. Or are they?

schomery commented 6 years ago

Thanks for the report. It was a bug which will be fixed by the next release.

ghost commented 6 years ago

Thanks for the update, I just installed the latest release. There seems to be still occurrences though, a few samples below. Since I cannot reopen this bug I hope you will be reading it nonetheless and be able to iron it out for good

Subdocument is set to block 3rd party Domain Spiegel PC log is reporting as blocked sub_frame sub_frame http://cdn2.spiegel.de/images/image-31323-breitwandaufmacher-x7WLI-1-91942.jpg

Script is set to block 3rd party Domain FAZ PC log is reporting as blocked script script http://static.faz.net/f6/ad/faz/iq.faz.net/V2/dist/FAZ_secondary-info.min.js
script http://static.faz.net/f6/ivw/faz/faz.net/v1/ivw-faz.net.js
script http://static.faz.net/f6/ad/faz/iq.faz.net/V2/dist/FAZ_secondary-info.min.js
script http://static.faz.net/f6/ivw/faz/faz.net/v1/ivw-faz.net.js

Script is set to block 3rd party Domain Reuters TV PC log is reporting as blocked script script https://cdnstatic.reuters.tv/jsLib/hls.js?version=v0.0.45.24
script https://cdnstatic.reuters.tv/jsLib/vtt.js?version=v0.0.45.24
script https://cdnstatic.reuters.tv/assets/vendor.js?version=v0.0.45.24
script https://cdnstatic.reuters.tv/assets/video.bundle.js?version=v0.0.45.24
script https://cdnstatic.reuters.tv/jsLib/hls.js?version=v0.0.45.24
script https://cdnstatic.reuters.tv/jsLib/vtt.js?version=v0.0.45.24
script https://cdnstatic.reuters.tv/assets/vendor.js?version=v0.0.45.24
script https://cdnstatic.reuters.tv/assets/video.bundle.js?version=v0.0.45.24

Script is set to block 3rd party Subdocument is set to block 3rd party XMLHttpRequest is set to block 3rd party Domain Qualys SSL Lab PC log is reporting as blocked script script http://plaintext.ssllabs.com/plaintext/script.js?t=1514710697124&_=1514710697077 PC log is reporting as blocked XMLHttpRequest xmlhttprequest http://plaintext.ssllabs.com/plaintext/xhr.txt?t=1514710697124 PC log is reporting as blocked sub_frame sub_frame http://plaintext.ssllabs.com/plaintext/frame.html

Script is set to block 3rd party Domain Slipstick PC log is reporting as blocked script script https://static.slipstick.com/wp-includes/js/jquery/jquery.js
script https://media.slipstick.com/wp-includes/js/jquery/jquery-migrate.min.js
script https://static.slipstick.com/wp-content/themes/genesis-slipstick/lib/js/adsense.js
script https://static.slipstick.com/wp-content/plugins/popular-posts-tab-widget-for-jetpack/tab.js
script https://b.slipstick.com/bmp/Sequence2.aspx?ZoneID=149&CountImpressions=True&Total=3&SiteID=1
script https://static.slipstick.com/wp-includes/js/underscore.min.js
script https://cdn.slipstick.com/wp-content/plugins/hustle/assets/js/front.min.js
script https://cdn.slipstick.com/wp-content/plugins/wp-polls/polls-js.js
script https://media.slipstick.com/wp-includes/js/comment-reply.min.js
script https://static.slipstick.com/wp-includes/js/hoverIntent.min.js
script https://media.slipstick.com/wp-content/themes/genesis/lib/js/menu/superfish.js
script https://cdn.slipstick.com/wp-content/themes/genesis/lib/js/menu/superfish.args.js
script https://static.slipstick.com/wp-content/themes/genesis-slipstick/lib/js/responsive-menu.js
script https://static.slipstick.com/wp-includes/js/wp-embed.min.js
script https://static.slipstick.com/wp-content/themes/genesis-slipstick/lib/js/adsense.js
script https://static.slipstick.com/wp-content/plugins/popular-posts-tab-widget-for-jetpack/tab.js
script https://b.slipstick.com/bmp/Sequence2.aspx?ZoneID=149&CountImpressions=True&Total=3&SiteID=1
script https://b.slipstick.com/bmp/a.aspx?ZoneID=161&Task=Get&IFR=False&Browser=NETSCAPE4&PageID=39802&SiteID=1&Random=1514721743081&wd=1344
script https://static.slipstick.com/wp-includes/js/underscore.min.js
script https://cdn.slipstick.com/wp-content/plugins/hustle/assets/js/front.min.js
script https://cdn.slipstick.com/wp-content/plugins/wp-polls/polls-js.js
script https://media.slipstick.com/wp-includes/js/comment-reply.min.js
script https://static.slipstick.com/wp-includes/js/hoverIntent.min.js
script https://media.slipstick.com/wp-content/themes/genesis/lib/js/menu/superfish.js
script https://cdn.slipstick.com/wp-content/themes/genesis/lib/js/menu/superfish.args.js
script https://static.slipstick.com/wp-content/themes/genesis-slipstick/lib/js/responsive-menu.js
script https://static.slipstick.com/wp-includes/js/wp-embed.min.js

ghost commented 6 years ago

Is there still development or has it ceased? This bug is major obstacle in the usability of this add-on...

schomery commented 6 years ago

Finding the root domain name (e.g.: spiegel.de) from a subdomain (e.g: www.spiegel.de) is really challenging! I think I've come up with an acceptable solution. Please give the latest release a try and let me know if there are any issues.

ghost commented 6 years ago

it seems to be almost gone, no issues thus far, only when just having made a donation for the development of this add-on the following happened

PC setting

Script (JavaScript) | Block third-party

URL

https://www.paypal.com/signin?locale.x=en_US&country.x=IS&returnUri=https%253A%252F%252Fwww.paypal.com%252Fpaypalme%252Faddondonation%252Fsend%253Famount%253D50%2526currencyCode%253DUSD%2526locale.x%253Den_US%2526country.x%253DIS&onboardData=%7B%22country.x%22%3A%22IS%22%2C%22locale.x%22%3A%22en_US%22%2C%22intent%22%3A%22paypalme%22%2C%22redirect_url%22%3A%22https%253A%252F%252Fwww.paypal.com%252Fpaypalme%252Faddondonation%252Fsend%253Famount%253D50%2526currencyCode%253DUSD%2526locale.x%253Den_US%2526country.x%253DIS%22%2C%22sendMoneyText%22%3A%22You%27re%2520sending%252050%252C00%25C2%25A0USD%2520to%2520Amin%252520E%22%2C%22theme%22%3A%22blue%22%7D

PC log

script https://c.paypal.com/webstatic/r/fb/fb-all-prod.pp2.min.js

ghost commented 6 years ago

Related to https vs http, though it is still the same TLD?

PC setting

Sub Document (iframes and frames) | Block third-party Script (JavaScript) | Block third-party

URL

http://www.bild.de

PC Log

sub_frame | https://wetter.bild.de/web2014/wetterwidget.html?ifw=110&ifh=61&ifs=no&ct=Bild-Channel+Home

ghost commented 6 years ago

Related to https://www vs https://, though it is still the same TLD?

PC setting

Script (JavaScript) | Block third-party XMLHttpRequest | Block third-party

URL

https://www.welt.de

PC Log

script | https://resources-production.la.welt.de/loader/la-loader.js script | https://sportdaten.welt.de/welt-mobil/js/resizer/iframeResizer.min.js xmlhttprequest | https://api-co.la.welt.de/api/documents?document-id=173364472,173287240,173369250,173371760

ghost commented 6 years ago

PC setting

XMLHttpRequest | Block third-party Script (JavaScript) | Block third-party

URL

https://www.nytimes.com

PC Log

xmlhttprequest | https://et.nytimes.com/ xmlhttprequest | https://geoip.newsdev.nytimes.com/