uBlockOrigin / uBlock-issues

This is the community-maintained issue tracker for uBlock Origin
https://github.com/gorhill/uBlock
944 stars 81 forks source link

Third party is not detected (or not exposed to the user) #1241

Closed ghost closed 3 years ago

ghost commented 4 years ago

Prerequisites

Description

When visiting https://www.myvanillacard.com/ https://geoip-js.maxmind.com is one of the third parties on the site. It is, however, not shown as one of the connections made in the uBlock interface - not when clicking on the icon or when using the logger.

Capture

Others not being able to reproduce could try using Browserling. Visit https://www.browserling.com/browse/win/7/firefox/68/https%3A%2F%2Faddons.mozilla.org%2Fen-US%2Ffirefox%2Faddon%2Fublock-origin%2F Download uBlock and visit https://www.myvanillacard.com/

Surprisingly, https://geoip-js.maxmind.com is visible in uMatrix. Not only uMatrix sees the domain, https://www.ipvoid.com/http-requests/ also exposes the connection.

If you are not able to reproduce this on your system (uBlock sees and blocks the domain), please leave a comment and information about your environment.

(I put up this issue on Reddit, but deleted the issue until now, as I've observed it on more than just my own computer.)

A specific URL where the issue occurs

https://www.myvanillacard.com/

Steps to Reproduce

  1. Visit https://www.myvanillacard.com/
  2. Click uBlock icon
  3. View the list of webpages in the sidebar

Expected behavior:

That https://geoip-js.maxmind.com is listed (and blocked.)

Actual behavior:

https://geoip-js.maxmind.com is not listed - not in sidebar or in the logger

Your environment

uBlock-user commented 4 years ago

Network pane of Devtools doesn't list it either.

gorhill commented 4 years ago

uMatrix reports differently than uBO, it must not be used as a reference for uBO.

liamengland1 commented 4 years ago

Please fix your hyperlinks in markdown.

ghost commented 4 years ago

uMatrix reports differently than uBO, it must not be used as a reference for uBO.

https://www.ipvoid.com/http-requests/ displays the connection as well for instance.

Also, when the issue was on Reddit, one person stated that they could not reproduce the issue and posted a screenshot of their logger both seeing geoip-js.maxmind.com and blocking it.

ghost commented 4 years ago

Please fix your hyperlinks in markdown.

Done.

gorhill commented 4 years ago

Use the browser dev tools, if it's seen by the browser, it should be seen by uBO.

gorhill commented 4 years ago

geoip-js.maxmind.com does not appear in the popup panel because the page is reloaded, as seen in the following screenshot:

a

uBO's popup panel shows only what occurred in the current page load, while uMatrix remembers across page load -- both by design.

ghost commented 4 years ago

You are absolutely true - thanks for investigating! Already knew about the fact that uMatrix remembers across page loads, but didn't even consider it. Closing the issue.

gorhill commented 4 years ago

I prefer to keep it open, I want to investigate if something can be done about this -- in the current case the issue is that a document with the same exact URL is being reloaded within a fraction of second, so in that case it would make sense for uBO to carry over the seen hostnames for when a document was reloaded within a fraction of second with the same exact URL.

ninjacatstorm commented 4 years ago

this seems to happen on invidious. when hovering the mouse on the progress bar, noscript shows a connection to ytimg.com, but ublock shows nothing. example link: https://invidious.snopyta.org/watch?v=wjXIw6OjBo8

gorhill commented 4 years ago

this seems to happen on invidious

It's a different case than the underlying issue here. It's because ytimg.com is blocked by the site's own content security policy:

Content Security Policy: The page’s settings blocked the loading of a resource at https://i.ytimg.com/sb/wjXIw6OjBo8/storyboard3_L2/M1.jpg?sqp=-oaymwENSDfyq4qpAwVwAcABAaLzl_8DBgiM9538BQ%3D%3D&sigh=rs%24AOn4CLDX97KGHJ0B9DLRmiKUIFih6JGDPw (“img-src”).

No network requests to or script execution from ytimg.com occur and it's not uBO blocking it, it's the page's own CSP:

content-security-policy: default-src  'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src  'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src  'self'; media-src 'self' blob:

NoScript is reporting it probably because it listens to CSP violation events, but I am going to argue that NoScript is wrong to show that scripts from ytimg.com were blocked by NoScript since it's not true, and trying to "unblock" ytimg.com won't accomplish anything because it's the page's own CSP blocking it, and this will also be true after you trust ytimg.com with NoScript.

uBO's logger shows all the network requests which occurred on a page and ytimg.com is not there, while in the current issue the network requests show in the logger.

ninjacatstorm commented 4 years ago

so noscript is reporting things incorrectly then? i also tried on lbry.tv and noscript also shows a lot more connections, i tested by temp trusting everything, i tried on the first video listed: https://lbry.tv/@TheQuartering:1/big-changes-at-youtube-this-will-be-the:1

it also seems it matters whether or not all the filter lists are ticked, i tested on old.reddit.com

I'm not sure whether this is all normal?

gwarser commented 4 years ago

i tested by temp trusting everything,

Did you also disabled filtering when you tested in uBO?

gorhill commented 4 years ago

@ninjacatstorm You trusted all in NoScript, which is equivelant to disable NoScript for the site, while you left uBO in its normal blocking state, you can't compare this way. Disable uBO if you want to compare with disabled NoScript. This is what I get once I disable uBO and reload the page with cache bypass (I didn't click the play button after the page loaded):

Screen Shot 2020-10-17 at 07 21 57-fullpage

ninjacatstorm commented 4 years ago

ok, i'm a little confused. shouldn't ublock origin show all of that anyway, but just with the blocked connections being red instead of green? isn't that the point of the red/green thing? or am i misunderstanding how it's supposed to work?

gwarser commented 4 years ago

This works like a chain. One tracker loads another, then second one loads one more... If you block first one, other will never be loaded, so they will not be ever seen.

uBlock-user commented 4 years ago

Not just with trackers, everywhere else on the Internet too.

gorhill commented 4 years ago

shouldn't ublock origin show all of that anyway

I am baffled at why you would think so when NoScript behaves just the same way: you won't see the final long list of 3rd parties if you do not trust all in NoScript. Why would you expect differently in uBO?

Trust minimally: a

Trust all: b

It seems you have misunderstandings of how both NoScript and uBO works, and in such case it's support matter and to be handled at /r/uBlockOrigin, currently we just keep adding noise to the current issue which is fully understood and what you report is unrelated to it, as I already stated above.

gwarser commented 4 years ago

In hard mode tomshardware.com quickly redirects to "AD BLOCKER INTERFERENCE DETECTED" page, with only first party resources. This make more difficult to actually find that futurecdn.net must be noop-ed to prevent anti-adblock detection.

https://www.tomshardware.com/how-to/boot-raspberry-pi-4-usb

uBlock-user commented 3 years ago

In hard mode tomshardware.com quickly redirects to "AD BLOCKER INTERFERENCE DETECTED" page, with only first party resources. This make more difficult to actually find that futurecdn.net must be noop-ed to prevent anti-adblock detection.

This is still an issue.