clk.* false positive

[DuncanFairley]

URL(s) where the issue occurs

http://clk.dev# http://clk.csr#

Describe the issue

Our internal-only domains are getting caught up in the clk.* filter.

Screenshot(s)

Versions

• Browser/version: Chrome 76.0.3809.100
• uBlock Origin version: 1.21.6

Settings

• None

Notes

The following seemed to add the rules: https://github.com/uBlockOrigin/uAssets/issues/4030

[mapx-]

Provide example pages and explain the issue

[DuncanFairley]

As mentioned, they're internal domains. ublock origin is blocking valid Javascript, present in screenshot.

[mapx-]

If your issue is about noeval filter , I tried disabling it but I get popups. So, if you are using eval for internal goals you should remove the popups generator and we can remove the noeval filter

[DuncanFairley]

The popups are not advertisements in the internal web application I'm using. It's just UI. I'm just asking that the filters that were added for clk.* are made more explicit to the domains that you're targetting: clk.icu, clk.press so that they are no longer targetting my domains, clk.dev#, clk.csr#, please.

[mapx-]

I removed the noeval filter, replacing it. Update your lists and test again.

[mapx-]

or test directly

clk.*#@#+js(noeval)
clk.*##+js(window.open-defuser)

[DuncanFairley]

It no longer blocks my popup. Thank you.

[okiehsch]

I get popups using Chromium Example link: clk.ink/HMoDP after solving the captcha and continuing to the countdown site. I will readd the noeval filter. For your internal web application I suggest that you add clk.*#@#+js(noeval) to your personal filter list.

[DuncanFairley]

This is a web platform for 30 users. I can't modify their filter lists. Could you please filter only the clk domains you are interested in blocking instead of a wildcard?

On Thu., Aug. 15, 2019, 5:22 p.m. okiehsch, notifications@github.com wrote:

I get popups using Chromium Example link: clk.ink/HMoDP after solving the captcha and continuing to the countdown site. I will add the noeval filter. For your internal testing I suggest that you add clk.*#@#+js(noeval) to your personal filter list.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/uBlockOrigin/uAssets/issues/6086?email_source=notifications&email_token=AAKJWFCUEDRE4EF2H7UCKWLQEXXLLA5CNFSM4IMABT7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4NKW3Y#issuecomment-521841519, or mute the thread https://github.com/notifications/unsubscribe-auth/AAKJWFFL2MNS4QJB37NVA4LQEXXLLANCNFSM4IMABT7A .

[okiehsch]

I won't, they change all the time and I won't bother adding countless TLD's.

What I am willing to do is add exceptions for your internal sites does clk.csr,clk.dev#@#+js(noeval) work for you?

[DuncanFairley]

Sorry, I don't understand the syntax for whitelisting something. The domains are clk.csr# and clk.dev# where # is any integer. Eg. clk.csr1, clk.csr2, etc.

Thanks.

[mapx-]

just add in "my filters" clk.csr1,clk.csr2,clk.csr3,clk.csr4,clk.csr5,clk.dev1,clk.dev2,clk.dev3#@#+js(noeval)

adding to the filter above all your internal domains

[DuncanFairley]

There's 30 or so users, I don't have access to all of their "my filters" lists. Some of them work from home.

[mapx-]

@okiehsch could you test:

clk.*#@#+js(noeval)
clk.*##+js(set-constant.js, parseInt, trueFunc)

same you @DuncanFairley with these last filters do you still get some breakage ?

[DuncanFairley]

I added those two to My Filters and it made it worse than usual, unfortunately. It blocked XHR requests that previously were succeeding.

[mapx-]

another idea:

• create a custom list (see how-to: https://adblockplus.org/forum/viewtopic.php?p=144195&sid=6a69bd58f69e16796a5bab8da0114cd0#p144195 )

• add whatever filters you want in that list (the filter I told you above)

• ask your users just to click the subscription link

This custom list is necessary to be subscribed only by your users using uBo

[okiehsch]

where # is any integer.

Well, that complicates things. ;)

We can change the filter to

clk.*#@#+js(noeval)
clk.*##+js(aeld, /^(?:click|mouseup)$/, [J])

works on my end with Chromium/Chrome and Firefox.

@DuncanFairley any problems if you add the above mentioned filters?

[gorhill]

another idea [...] This custom list is necessary to be subscribed only by your users using uBo

That's the better idea -- I don't like the idea of adding exception filters in uBO list for private domains not accessible from outside, this opens the door for actual sites to leverage those exceptions to bypass uBO. Volunteers can assist in finding a solution but ultimately the solution is to be found by whoever manages those private domains.

Users are free to disable uBO on this internal clk.dev1 site, that would take care of the issue.