trust-provider.com: breakage (trustlogo.js)

[b3hdad]

Prerequisites

• [X] I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
• [X] This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
• [X] I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• [X] The issue is not present after disabling uBO in the browser.
• [X] I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

• [X] uBO is the only extension.
• [X] uBO uses default lists and settings.
• [X] using a new, unmodified browser profile.

Description

When uBO is enabled the following script gets blocked:

https://secure.trust-provider.com/trustlogo/javascript/trustlogo.js

This is a legitimate script that shows the Sectigo security badge on a web site.

A specific URL where the issue occurs.

https://isonotes.com

Steps to Reproduce

1. Go to Chrome
2. Press F12 to go to developer tools and clear the console
3. Go to web site: https://isonotes.com/
4. Note the error in console

Expected behavior

If you disable the uBO then a green badge under the pricing section appears saying: SECURED BY SECTIGO

Actual behavior

The badge does not appear.

uBO version

1.47.4

Browser name and version

Chrome 111.0.5563.65

Operating System and version

Windows 10

[MasterKia]

Clicking on the "SECURED BY SECTIGO" logo:

This website uses a Sectigo SSL certificate to secure online transactions for customers.

Clicking on the "lock" icon on the address bar:

Verified by: Google Trust Services

[b3hdad]

Not so sure if your comment is a question or statement to explain why uBO is behaving that way. Just a note that this was working for a long time and has broken recently.

The badge doesn't have anything to do with the Google trust. It only check that certificate is still valid and it is the right domain.

[MasterKia]

Sectigo claims the SSL certificate is issued by them but the webpage itself says the SSL certificate is verified/(issued) by Google. Why the contradiction? Or maybe I misunderstood.

[b3hdad]

Sectigo claims the SSL certificate is issued by them but the webpage itself says the SSL certificate is verified/(issued) by Google. Why the contradiction? Or maybe I misunderstood.

So what you see there (i.e. Google Trust) is the edge certificate and the Sectigo certificate is part of the chain of trust and is associated with the server. If anything goes wrong with the chain the badge will not show SECURED BY SECTIGO anymore.

[MasterKia]

Fingerprinting script, declined by EasyPrivacy: https://github.com/easylist/easylist/issues/14627#issuecomment-1375517280

@ryanbr

[mapx-]

I'm not sure:

https://otx.alienvault.com/indicator/domain/trust-provider.com https://www.netify.ai/resources/domains/trust-provider.com

A. Meshkov didn't add any filter for trust-provider in AdGuard Tracking Protection filter

[MasterKia]

Isn't AdGuard Tracking Protection is based on EasyPrivacy? A.Meshkov asked for it to be fixed in EasyPrivacy, and it was fixed.

[mapx-]

AM reported a breakage then ryan reduced the impact but in the end AG list does not contain that domain. (AM prefered to put an end to the discussion "I guess it falls under the policy" )

[b3hdad]

Ok so if it is too difficult or can't be fixed please feel free to close the ticket. Thank you for the quick feedback and investigation.

[ryanbr]

https://secure.trust-provider.com/trustlogo/javascript/trustlogo.js fingerprinting

[stephenhawk8054]

Isn't the code is used for styling like ameshkov said?

[ryanbr]

I'm sure they do plenty of this without useragent/screen.availWidth

[stephenhawk8054]

I mean, it's not about what they are using, but it's about what they are using them for?

The code can be wacky, but it's not the reason to block it, unless we are javascript's teachers

function createStyleRule(t, e) {
    if(document.getElementsByTagName && (document.createElement || document.createElementNS)) {
        var L = navigator.userAgent.toLowerCase(),
            n = -1 != L.indexOf("msie") && -1 == L.indexOf("opera"),
            o = n && -1 != L.indexOf("win"),
            r = n && -1 != L.indexOf("mac");
        if(!r) {
            var i = document.getElementsByTagName("head")[0],
                l = "undefined" != typeof document.createElementNS ? document.createElementNS("http://www.w3.org/1999/xhtml", "style") : document.createElement("style");
            if(!o) {
                var a = document.createTextNode(t + " {" + e + "}");
                l.appendChild(a)
            }
            if(l.setAttribute("type", "text/css"), l.setAttribute("media", "screen"), i.appendChild(l), o && document.styleSheets && document.styleSheets.length > 0) {
                var s = document.styleSheets[document.styleSheets.length - 1];
                "object" == typeof s.addRule && s.addRule(t, e)
            }
        }
    }
}
createStyleRule("#comodoTL", "display:block;font-size:8px;padding-left:18px;");

[gorhill]

I'm sure they do plenty of this without useragent/screen.availWidth

You can check with the logger. I don't see anything in it suggesting there is fingerprinting information sent abroad, and I don't see any 3rd-party cookie set by the site related to this.

[mapx-]

@b3hdad fixed

[b3hdad]

@b3hdad fixed

Awesome. Thank you and thanks everyone.