New issue
Advanced search Search tips

Issue 920531 link

Starred by 2 users

Issue metadata

Status: Unconfirmed
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

CSP injected by uBlock Origin is bypassed on a specific website by a third-party domain which is not whitelisted by CSP

Reported by sscar...@gmail.com, Jan 10

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3668.0 Safari/537.36

Steps to reproduce the problem:
1. Install uBlock Origin from webstore and open My filters page via chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/dashboard.html#1p-filters.html and add ||myanimelist.net^$csp=default-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.myanimelist.net and close the page.

2. Open dev tools and click on Network tab to record net activity and now browse to https://myanimelist.net/anime/21/One_Piece 

3. Notice request to https://ads.rubiconproject.com/ad/13138.js is not blocked by CSP injected by uBlock Origin filter which we added in step 1; it bypasses CSP but ends up getting blocked by a blocking filter in uBlock Origin.  

What is the expected behavior?
Connection request to https://ads.rubiconproject.com/ad/13138.js is blocked by CSP injected by uBlock Origin as this domain is not whitelisted by the CSP.

What went wrong?
Connection request to https://ads.rubiconproject.com/ad/13138.js is NOT blocked by CSP injected by uBlock Origin even though this domain is NOT whitelisted by CSP injected by uBlock Origin.

WebStore page: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en

Did this work before? N/A 

Chrome version: 73.0.3668.0  Channel: canary
OS Version: 10.0
Flash Version: 

Is this a CSP exploit ?
 
If you cannot reproduce on stable, try the latest canary or dev build.
Labels: Needs-Triage-M73
can reproduce this issue since 73.0.3635.0 (Official Build), v72 works fine.
Cc: phanindra.mandapaka@chromium.org
Labels: Triaged-ET Needs-Feedback
Tried to reproduce the issue on reported chrome version 73.0.3668.0 using Windows 10.Attaching screen-cast for reference.
Steps: 
-------
1. Launched reported chrome 
2. Enabled uBlock Origin
3. Opened chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/dashboard.html#1p-filters.html
As we not observed add option in the Myfilters 

@Reporter: Could you please check the attached screencast and let us know if we missed anything form our end and if possible provide screencast for better understanding of this issue.

Thanks.!
920531.mp4
1.5 MB View Download

Comment 5 by sscar...@gmail.com, Jan 18 (4 days ago)

Seems I wasn't clear before. Copy ||myanimelist.net^$csp=default-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.myanimelist.net and paste it in My Filters and click on Apply changes, then close that page. Then follow onwards to step No. 2. 


Project Member

Comment 6 by sheriffbot@chromium.org, Jan 18 (4 days ago)

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by sscar...@gmail.com, Jan 18 (4 days ago)

Just to add some clarification, In step 3, once the recorded network tab activity is populated, look for a network request to https://ads.rubiconproject.com/ad/13138.js and check its "Status", which will show "blocked:other" instead of blocked:csp, which shouldn't have happened because the CSP filter which we added in step 1 doesn't whitelist ads.rubiconproject.com and yet it wasn't blocked by CSP.

Comment 8 by phanindra.mandapaka@chromium.org, Today (19 hours ago)

Labels: Needs-Feedback
As per comment #5 and comment #7, retried the issue on reported chrome version 73.0.3668.0 using Windows 10.Attaching screen-cast for reference.
Steps: 
------
1. Launched reported chrome 
2. Copied and pasted the code link and opened Devtootls > Network tab 
3. Opened https://ads.rubiconproject.com/ad/13138.js 
As we have observed that the page is blocked by uBlock Origin 

@Reporter: Could you please check the attached screencast and confirm the issue and if possible provide screencast for better triaging of this issue.

Thanks.!
920531.mp4
9.4 MB View Download

Comment 9 by sscar...@gmail.com, Today (19 hours ago)

-Sigh-, somehow myanimelist.net domain is whitelisted in your screenshot, please remove that whitelisted entry from uBO from chrome-extension://cgbcahbpdhpcegmbfconppldiemgcoii/dashboard.html#whitelist.html and deleting the entry and clicking apply changes, otherwise uBO cannot do anything if the domain is whitelisted like that.

@ woxxom@gmail.com Can you please help ? 
Project Member

Comment 10 by sheriffbot@chromium.org, Today (19 hours ago)

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by sscar...@gmail.com, Today (19 hours ago)

@ phanindra.mandapaka@chromium.org see the screencast I have attached.

The request is blocked, but NOT blocked by CSP we added in My Filters, that's the issue. Do you understand now ?



9236afcfdde73c20ec37163899ff63fa.mp4
153 KB View Download

Comment 12 by sscar...@gmail.com, Today (19 hours ago)

@ karandeepb@chromium.org please take a look into this.

Sign in to add a comment