Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP prevents advanced rules #917

Closed
AdamWr opened this issue Oct 19, 2023 · 1 comment
Closed

CSP prevents advanced rules #917

AdamWr opened this issue Oct 19, 2023 · 1 comment
Assignees
@maximtop
Labels
Priority: P4 Resolution: Fixed Status: Closed Version: Safari v1.11.16

Comments

@AdamWr
Copy link
Member

AdamWr commented Oct 19, 2023

It's related to this issue - AdguardTeam/AdguardFilters#163515 - the problem is that sponsored posts are not blocked on facebook.com, it happens with Safari extension and app for iOS.
It looks like that script execution is blocked by CSP:

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

I'm aware that's duplicate of #304, there is also similar issue in browser extension repository - AdguardTeam/AdguardBrowserExtension#1733 with a link to possibly fix - AdguardTeam/AdguardBrowserExtension#1733 (comment)

As far as I understand, this is used to execute advanced rules/scripts:

AdGuardForSafari/AdGuard/Extension/advanced-script.js

Lines 14 to 28 in 39ec626

const executeScripts = scripts => {
// Wrap with try catch
scripts.unshift('( function () { try {');
scripts.push("} catch (ex) { console.error('Error executing AG js: ' + ex); } })();");
const scriptTag = document.createElement('script');
scriptTag.setAttribute('type', 'text/javascript');
scriptTag.textContent = scripts.join('\r\n');
const parent = document.head || document.documentElement;
parent.appendChild(scriptTag);
if (scriptTag.parentNode) {
scriptTag.parentNode.removeChild(scriptTag);
}
};

unfortunately it looks like that this approach is blocked by website's Content Security Policy.
So maybe something like this:

const executeScripts = scripts => {
  // Wrap with try catch 
  scripts.unshift('( function () { try {');
  scripts.push("} catch (ex) { console.error('Error executing AG js: ' + ex); } })();");
  
  const blob = new Blob([scripts.join('\r\n')], {
    type: 'text/javascript'
  });
  const url = URL.createObjectURL(blob);
  const scriptTag = document.createElement('script');
  
  const parent = document.head || document.documentElement;
  parent.appendChild(scriptTag);
  if (scriptTag.parentNode) {
    URL.revokeObjectURL(url);
  }
};

could be used as a workaround, it seems that it works, at least in browser's console while debugging.
@adguard-bot adguard-bot assigned maximtop and unassigned Versty Oct 19, 2023
@AdamWr AdamWr mentioned this issue Oct 20, 2023
Closed
@maximtop
Copy link
Contributor

It will help only in the case of facebook, where blobs are not blocked by csp policies.
Seems that it is worth to be added as an additional way.

adguard pushed a commit that referenced this issue Oct 27, 2023
@maximtop @slavaleleka
try to inject a script also as a blob. #917 AG-26912
f102b09 
Squashed commit of the following:

commit 55a3e6a
Author: Maxim Topciu <mtopciu@adguard.com>
Date:   Tue Oct 24 18:33:43 2023 +0300

    AG-26912 add logging

commit 3dfce09
Author: Maxim Topciu <mtopciu@adguard.com>
Date:   Tue Oct 24 17:34:57 2023 +0300

    AG-26912 try to inject a script also as a blob
This was referenced Oct 31, 2023
Closed
Closed
@AdamWr AdamWr mentioned this issue Nov 3, 2023
Closed
This was referenced Nov 22, 2023
Closed
Closed
@AdamWr AdamWr mentioned this issue Dec 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maximtop maximtop

Labels
Priority: P4 Resolution: Fixed Status: Closed Version: Safari v1.11.16
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@maximtop @AdamWr @adguard-bot @Versty