snowhaze / SnowHaze-iOS

A Powerful Private Browser Developed to Truly Protect your Data
Other
148 stars 29 forks source link

JavaScript Seemingly Not Fully Blocked on iOS 14 Devices #22

Open gbu117 opened 3 years ago

gbu117 commented 3 years ago

Snowhaze on iOS 14 does not seem to be fully blocking JS. It seems that at least the inline-script is still being executed, which it wasn't on iOS 13 and is not on LTS iOS 12 devices.

Take the example of the default search engine SnowHaze includes, StartPage in the scenario of disabling all JS in the options (even blocking using the content blocker options) and disabling search suggestions.

On iOS 14 devices if you search, the results do not display and the interactive search options menus appear. This same outcome would occur if you were to use desktop Chrome/Firefox and block all scripts but not inline-scripts with an extension such as uBlock Origin.

However, if you repeat the same steps on SnowHaze on a device running iOS 12/13, the page loads the way it should, indicating JS is not being executed. I presume something has changed with Apple's WebKit/WebView in iOS 14 which is the cause of this. Running Safari with JS disabled and searching StartPage works correctly also, so it seems to be something to do with SnowHaze executing inline-scripts (which is something I would think people would prefer not to be the case).

Equally, I would note that searching on DuckDuckGo's HTML search html.duckduckgo.com results in a "forbidden" response despite this not being the case on Safari or any other browser I use with JS disabled (even lynx the terminal-based browser), which makes me wonder whether something a bit strange is happening with the HTTP requests being made.

snowhaze commented 3 years ago

Thanks for your description of the issue. It looks like it is related to issue #20. We have a fix for that and will release it soon.

snowhaze commented 3 years ago

Hi, the issue with duckduckgo is much simpler than I thought. The problem is the Referer blocking. Duckduckgo requires a HTTP Referer which is blocked by default. Simply allow referers for duckduckgo.com in the site settings (color shield).