Suspicious Akamai tracking script on multiple websites

[ImBoop]

Prerequisites

• [X] This is not a support issue or a question
• [X] I performed a cursory search of the issue tracker to avoid opening a duplicate issue
• [X] I am running the latest version of uBlock Origin

I tried to reproduce the issue when...

• [X] uBO is the only extension
• [X] uBO with default lists/settings
• [X] using a new, unmodified browser profile

URL(s) where the issue occurs

https://www.tacobell.com/food/ Other examples listed on blog post below.

Describe the issue

It seems Akamai is starting to push sketchy trackers that are fingerprinting the browsers they're on under the guise of 'bot detection' and the script is very heavily obfuscated, and uBlock doesn't currently block them.

Screenshot(s)

No response

uBlock Origin version

1.37.2

Browser name and version

Firefox 92.0

Settings

• Fully stock with stock anti ad lists.

Notes

It seems to be rather secretive as to how it works, but theres a decent writeup on https://grantwinney.com/websites-requesting-access-to-motion-sensors/

Even if it breaks the website, I'd like ublock to block these sketchy requests (which if they weren't on the host page then it wouldn't need to be so secretive.)

[uBlock-user]

and uBlock doesn't currently block them.

link to the script ?

[ImBoop]

https://www.tacobell.com/A2TJx7gO/ElEpY06/xt2DbaR/dN/if1OwNhziuaf/PVQiZgE/Owl/PBBxLcHwB

If it dies I can mirror it in a gist.

[ExtremelyCool]

@ryanbr

[ryanbr]

These scripts are all over the place, have tried to counter them. But they keep changing the urls.

[avotoko]

The script is sending data twice on www.fedex.com.

If necessary, these can be blocked with the following filter.

fedex.com##+js(set, bmak.js_post, false)

[avotoko]

grantwinney's article has an interesting comment: https://grantwinney.com/websites-requesting-access-to-motion-sensors/?ht-comment-id=152099. It has been suggested that blocking it may have negative effects.

I wish I could have reported this in my earlier post, but I apologize for the delay.

[uBlock-user]

We could always remove it if any one experiences site breakage due to that filter, but they shouldn't because the value is within valid parameters.

[ImBoop]

The script is sending data twice on www.fedex.com.

The domain changes frequently, is there no other way to block it?

[uBlock-user]

which domain ?

[ImBoop]

In the script in my link, the script went to tacobell.com (e.g. the host domain of the script.)

[uBlock-user]

I don't understand, XHR's are no longer fired, fixed in https://github.com/uBlockOrigin/uAssets/commit/1bd833f697135792336d8697dafaf8a0afb9f4ef

[ImBoop]

I don't understand, XHR's are no longer fired, fixed in 1bd833f

I just meant that it's on other domains as well, but I don't have a definitive list unfortunately. Appreciate it either way, thanks!

[maxredspeed3]

We could always remove it if any one experiences site breakage due to that filter, but they shouldn't because the value is within valid parameters.

It's breaking fedex.com proper when signing in. I use FedEd daily for work with uBO installed, haven't had any issues for over a year, until about 2 weeks ago when this was added. I currently have to whitelist fedex.com entirely or turn uBO off just to sign in. After signing in, everything else in the site works fine, no issues.

[uBlock-user]

@maxredspeed3 Add the following filters to my Filters and try loggin in again.

fedex.com#@#+js(set, bmak.js_post, false)
fedex.com##+js(aost, XMLHttpRequest.prototype.send, apicall_bm)