Script loaded as `object` bypasses dynamic filtering

[ghost]

Prerequisites

• [X] I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
• [X] This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
• [X] I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• [X] The issue is not present after disabling uBO in the browser.
• [X] I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

• [X] uBO is the only extension.
• [X] uBO uses default lists and settings.
• [X] using a new, unmodified browser profile.

Description

This Instagram script bypasses dynamic filtering rules.

A specific URL where the issue occurs.

https://veja.abril.com.br/mundo/cadela-brasileira-encontra-vitimas-soterradas-por-terremoto-na-turquia/

Steps to Reproduce

• Block third-party scripts with the extension panel
• Go to https://veja.abril.com.br/mundo/cadela-brasileira-encontra-vitimas-soterradas-por-terremoto-na-turquia/

Expected behavior

No connections to third-party scripts.

Actual behavior

https://www.instagram.com/embed.js?ver=2.4.4 is loaded as an object.

uBO version

1.47.0

Browser name and version

Firefox 110

Operating System and version

Windows 10

[uBlock-user]

Will need a new category rule such as * * 3p-object block to address this.

[gwarser]

Wasn't <object> linked to frame type? It does not seem to be blocked when blocking 3p frames now.

---

BTW, blocked by Firefox tracking protection for me.

[gwarser]

There are many more scripts like this

The content type of the resource specified by data. At least one of data and type must be defined.

But it's not here. ???

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/object

[uBlock-user]

Wasn't linked to frame type?

Was it ever ? I have never seen that before. I did come across cases where scripts are loaded as objects and even sometimes via xhr/fetch.

[garry-ut99]

Script loaded as object

Not only scripts, many other things can be smuggled as object:

The <object> tag defines a container for an external resource. The external resource can be a web page, a picture, a media player, or a plug-in application.

---

Will need a new category rule such as * * 3p-object block to address this.

Yes, bettter than nothing, however if several different things will be smuggled as object, all of them will be blocked then, which might be not always expected result by an user, actually the same risk applies for static network filtering.

---

At least one of data and type must be defined. But it's not here. ???

Such requirement is present only in Mozilla's documentation, not in other documentations:

https://html.spec.whatwg.org/#attr-object-type : The type attribute, if present, specifies the type of the resource. https://www.w3schools.com/tags/tag_object.asp : examples provided are without type

So either the requirement:

• is not longer valid and Mozilla just forgot to remove it from the documentation (a bug in their doc)
• or it's a bug in a browser as Firefox allows something what shouldn't be allowed as per their doc

---

Also might be helpful:

• https://github.com/gorhill/uBlock/issues/2747
• https://github.com/gorhill/uBlock/issues/3187

---

Block third-party scripts with the extension panel

Not clear whether locally (only on veja.abril.com.br) or globally (and veja.abril.com.br was just an example) Not clear whether only www.instagram.com 3p scripts or all 3p scripts (and www.instagram.com was just an example)

Can use (as alternative/workaround) Dynamic URL filtering instead of Dynamic filtering:

• locally only www.instagram.com: veja.abril.com.br https://www.instagram.com object block
• locally for all 3p domains, then can add additional domains, or implement: veja.abril.com.br * 3p-object block
• globally only www.instagram.com: * https://www.instagram.com object block
• globally for all 3p domains, then need to implement * * 3p-object block

[krystian3w]

and Mozilla just forgot to remove it a bug in a browser as Firefox allows something what shouldn't be allowed

I can load image by <embed> and <object> even in Chrome 109.