CSP injected by uBlock Origin is bypassed on a specific website by a third-party domain which is not whitelisted by CSP
Reported by
sscar...@gmail.com,
Jan 10
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3668.0 Safari/537.36 Steps to reproduce the problem: 1. Install uBlock Origin from webstore and open My filters page via chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/dashboard.html#1p-filters.html and add ||myanimelist.net^$csp=default-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.myanimelist.net and close the page. 2. Open dev tools and click on Network tab to record net activity and now browse to https://myanimelist.net/anime/21/One_Piece 3. Notice request to https://ads.rubiconproject.com/ad/13138.js is not blocked by CSP injected by uBlock Origin filter which we added in step 1; it bypasses CSP but ends up getting blocked by a blocking filter in uBlock Origin. What is the expected behavior? Connection request to https://ads.rubiconproject.com/ad/13138.js is blocked by CSP injected by uBlock Origin as this domain is not whitelisted by the CSP. What went wrong? Connection request to https://ads.rubiconproject.com/ad/13138.js is NOT blocked by CSP injected by uBlock Origin even though this domain is NOT whitelisted by CSP injected by uBlock Origin. WebStore page: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en Did this work before? N/A Chrome version: 73.0.3668.0 Channel: canary OS Version: 10.0 Flash Version: Is this a CSP exploit ?
,
Jan 10
,
Jan 13
can reproduce this issue since 73.0.3635.0 (Official Build), v72 works fine.
,
Jan 18
(4 days ago)
Tried to reproduce the issue on reported chrome version 73.0.3668.0 using Windows 10.Attaching screen-cast for reference. Steps: ------- 1. Launched reported chrome 2. Enabled uBlock Origin 3. Opened chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/dashboard.html#1p-filters.html As we not observed add option in the Myfilters @Reporter: Could you please check the attached screencast and let us know if we missed anything form our end and if possible provide screencast for better understanding of this issue. Thanks.!
,
Jan 18
(4 days ago)
Seems I wasn't clear before. Copy ||myanimelist.net^$csp=default-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.myanimelist.net and paste it in My Filters and click on Apply changes, then close that page. Then follow onwards to step No. 2.
,
Jan 18
(4 days ago)
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 18
(4 days ago)
Just to add some clarification, In step 3, once the recorded network tab activity is populated, look for a network request to https://ads.rubiconproject.com/ad/13138.js and check its "Status", which will show "blocked:other" instead of blocked:csp, which shouldn't have happened because the CSP filter which we added in step 1 doesn't whitelist ads.rubiconproject.com and yet it wasn't blocked by CSP.
,
Today
(19 hours ago)
As per comment #5 and comment #7, retried the issue on reported chrome version 73.0.3668.0 using Windows 10.Attaching screen-cast for reference. Steps: ------ 1. Launched reported chrome 2. Copied and pasted the code link and opened Devtootls > Network tab 3. Opened https://ads.rubiconproject.com/ad/13138.js As we have observed that the page is blocked by uBlock Origin @Reporter: Could you please check the attached screencast and confirm the issue and if possible provide screencast for better triaging of this issue. Thanks.!
,
Today
(19 hours ago)
-Sigh-, somehow myanimelist.net domain is whitelisted in your screenshot, please remove that whitelisted entry from uBO from chrome-extension://cgbcahbpdhpcegmbfconppldiemgcoii/dashboard.html#whitelist.html and deleting the entry and clicking apply changes, otherwise uBO cannot do anything if the domain is whitelisted like that. @ woxxom@gmail.com Can you please help ?
,
Today
(19 hours ago)
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Today
(19 hours ago)
@ phanindra.mandapaka@chromium.org see the screencast I have attached. The request is blocked, but NOT blocked by CSP we added in My Filters, that's the issue. Do you understand now ?
,
Today
(19 hours ago)
@ karandeepb@chromium.org please take a look into this. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by sscar...@gmail.com
, Jan 10