Unable to block browser take-over scripts in malware/phishing sites, or at least block redirects to such sites

[vassudanagunta]

An evil and ever more common phishing trick is to redirect a search result to a site that throws up an impossible to dismiss popup window warning that your system is comprimised by viruses. For example:

(warning, do not click on these unless you're prepared to kill your browser)
http://mac-system-alert.com/warning.html
http://informationdoc.com/rr/

I've made many attempts to craft custom filters and dynamic filters to prevent these. I'm pretty sure there is no way to do so. NoScript would do the trick, but it doesn't exist for Safari. It seems like this is something that uBlock could or should do.

This article describes the problem and maintains a list of such sites:
https://sites.google.com/site/appleclubfhs/support/advice-and-articles/browser-popup-hijack-safari

[gorhill]

Blocking inline scripts worked for the two sites offered as example. Inline script can be blocked using static filtering:

||mac-system-alert.com^$inline-script
||informationdoc.com^$inline-script

Further adding:

||mac-system-alert.com^
||informationdoc.com^

Cripples them more.

[gorhill]

Actually just using plain:

||mac-system-alert.com^
||informationdoc.com^

Worked too.

https://sites.google.com/site/appleclubfhs/support/advice-and-articles/browser-popup-hijack-safari

Someone should use the information in that list to create a ABP/uBlock compatible filter lists which I would enable by default in uBlock.

[gorhill]

Closed due to lack of feedback.

[vassudanagunta]

Sorry I didn't get back to you quicker. It is not working for me. Maybe I am doing something wrong? I added all of the following to the My Filters tab of uBlock Dashboard:

||mac-system-alert.com^$inline-script
||informationdoc.com^$inline-script
||mac-system-alert.com^
||informationdoc.com^

Then I clicked on http://mac-system-alert.com/warning.html, at which point a popup hijacked Safari and I was forced to force-quit Safari to escape.

[gorhill]

Maybe Safari does not support the blocking of inline scripts, I don't remember.

Some thoughts...

These sites are definitely a threat to users. One thing that would work is to block the main document, i.e. the root document would not be downloaded from the site. This is something that ABP filter syntax does not semantically support.

There is the document option, but it is always used as an exception in ABP. So I propose that uBlock support the document option for when a whole document has to be blocked. document option as an exception still won't be supported though, as per #5.

[vassudanagunta]

Thanks for reopening. I'd like to understand what's going on better, and help in any way I can (though I'm a novice JS coder).

I get that ||mac-system-alert.com^$inline-script may not work because of a Safari limitation, but I am unclear about ||mac-system-alert.com^. Is it because ABP filter rules only apply to resources of a page, but never the page itself? In other words, this rule only limits loading images, frames, and scripts from mac-system-alert.com referenced by any root document, but it does not prevent loading of root pages on that domain, such as by clicking on http://mac-system-alert.com/warning.html?

I can attempt to implement the JS if it would help... in which case some clues as to where I should start looking at the code would be helpful :)

[gorhill]

Is it because ABP filter rules only apply to resources of a page, but never the page itself?

Yes.

I believe document is not used anymore anywhere in a blocking filter, so we can resurrect its original purpose, which was to block the pages themselves. In uBlock, I will probably choose to redirect to about:blank.

[vassudanagunta]

I think it a strange and inconsistent syntax that ||mac-system-alert.com^$document would be "greater" than ||mac-system-alert.com^ rather than the other way around.

As to redirect, I would recommend redirecting to a static (hardcoded) page explaining what just happened, perhaps even showing the list and filter rule that applied.

[ghost]

I believe document is not used anymore anywhere in a blocking filter, so we can resurrect its original purpose, which was to block the pages themselves. In uBlock, I will probably choose to redirect to about:blank.

Hm, I wonder why is this necessary? Those sites can already be blocked in uBlock either by Dynamic Filtering or by simply adding the hostname to My Filters. Using document could be a future incompatibility if ABP ever reintroduces this option in some other way.

EDIT: Not quite ....

[vassudanagunta]

Ok, I looked at https://adblockplus.org/en/filter-cheatsheet and now understand that $ is used for options, and what the syntax is saying is that by default filters only apply to resources, and that if you want them to apply to root pages, you must use an option, in this case document. If so, I guess it's not inconsistent. Would be less strange for the default to be everything, and an option required for the filter to only apply to resources, but of course you can't change ABP filter syntax.

[gorhill]

@tlu1024 Because to prevent the behavior reported in issue, one need to block inline script, which I believe is not possible in Safari -- whether through static or dynamic filtering.

Anyways, the ability to whole block a site has been requested before, and here we have a very valid reason for this: those sites are dangerous, it's their primary purpose. To have the ability to block them whole is a good thing, especially for non-technical users, who are actually the target for such sites.

The original purpose of document was to block the page, so I am just complying with the definition. What changed is that nobody use it anymore as blocking filter. I will just bring back support for its defined use as blocking filter option.

[vassudanagunta]

@tlu1024 Because to prevent the behavior reported in issue, one need to block inline script, which I believe is not possible in Safari -- whether through static or dynamic filtering.

Confirmed. The dynamic filter * mac-system-alert.com * block did not prevent loading the page in Safari, and neither did any of the following in My Filters:

||mac-system-alert.com^$inline-script 
||mac-system-alert.com^
mac-system-alert.com

@gorhill, thank you for understanding the importance for this! I'm thinking hard about ways to get more of the Internet, especially non-technical people, to protect themselves and join the fight against malicious, dishonest or privacy invading behavior. Tools such as uBlock are a step in the right direction.

[ghost]

There is something I don't understand:

http://mac-system-alert.com/warning.html remains empty regardless if I block it with Dymanic Filtering or by adding mac-system-alert.com to My Filters.

But not so with http://informationdoc.com/rr/. If I block that site with Dynamic Filtering I see this:

After blocking also myshopping-blogs.com I see this:

How come? I thought that rules like

* informationdoc.com * block
* myshopping-blogs.com * block

block all net requests?

BTW: How does a filter like

mac-system-alert.com

differ from

||mac-system-alert.com^ ?

EDIT: I'm using Googgle Chrome on Linux.

[gorhill]

But not so with http://informationdoc.com/rr/. If I block that site with Dynamic Filtering I see this

I can't help you if you do not tell me what exactly is "block that site with Dynamic Filtering". Show me rules, filters for each screenshot.

[gorhill]

Static filter mac-system-alert.com means, "block the network request if the substring mac-system-alert.com is found anywhere in the URL".

Static filter ||mac-system-alert.com^ means, "block the network request if the substring mac-system-alert.com matches the hostname of the URL".

[ghost]

I can't help you if you do not tell me what exactly is "block that site with Dynamic Filtering". Show me rules, filters for each screenshot.

Well, I mentioned them in my post above:

* informationdoc.com * block
* myshopping-blogs.com * block

[gorhill]

* informationdoc.com * block blocks everything from informationdoc.com. So resources not from informationdoc.com won't be blocked.

[gorhill]

Well, I mentioned them in my post above

I read your post again, and I have no idea what is unexpected. I am left to guess for what the exact rules are for the first screenshot. I will guess * informationdoc.com * block, then if so, what is unexpected? The images are clearly hosted on myshopping-blogs.com, which again I will guess, was not blocked in the first screenshot.

[ghost]

The images are clearly hosted on myshopping-blogs.com, which again I will guess, was not blocked in the first screenshot.

Right, that's what I said. But even after blocking myshopping-blogs.com the site was crippled but not completely blocked as shown in the second picture.

[gorhill]

If the document is present as a filter option, uBlock will redirect to a page warning the user about the site ahead. Example:

||mac-system-alert.com/warning.html$document

User can go back, close the page, or proceed to the site, which site will be temporarily unblocked (set at 60s currently).

If a user thinks the site is all fine and should not be blocked, setting an allow dynamic rule for that site will override the static filter above (or an exception filter: @@||mac-system-alert.com/warning.html$document).

[ialexsilva]

add buttons (Go Back) and (Close this window)

[gorhill]

You mean to use buttons instead of links?

[ialexsilva]

yes

[gorhill]

Done.

[Madis0]

I would suggest making "Proceed at your own risk" text a link (because the URL is already mentioned) and also displaying the name of the filterset that has this filter if the filter isn't manually added.

[gorhill]

At that point, uBlock has no way to know whether this is a custom filter or not. Looking at the page again, I will change the style of the link to not be code-like looking, but I still prefer to show the URL, just as a reminder of what a user is clicking.

[gorhill]

@Deathamns I tried to uncomment the Firefox code for redirection, but this did not work, some security error at the console about "mac-system-alert.com accessing document-blocked.html" or something like that.

[Deathamns]

@gorhill You can't redirect to privileged context (chrome:) from non-privileged page.
Instead, you could open that address in the tab itself:

if ( result.redirectUrl ) {
    channel.cancel(this.ABORT);
    vAPI.tabs.open({ tabId: details.tabId, url: result.redirectUrl });
    return true;
}

[gorhill]

@Deathamns Thanks, it worked (just added a check for type === 'main_frame').

[gorhill]

Alright, trying to make use of this new code, and I am second-guessing the currently implemented behavior...

Requiring the document option means that special filter lists need to make use of the option in order for the feature here to kick in. However, it makes a lot of sense for say, all entries in malware hosts file to fall under the current behavior: not opening even the main document for any of the entries in there just make sense.

But doing this by default (without the document option) would go counter to ABP filters semantic, which is that main documents are never blocked, and which semantic is respected by uBlock. This means the current document option is likely to be underused, if at all.

One way to make the current feature useful is to offer the user to choose which semantic to use: strict or relax (better worded in the UI so as to be comprehensible by non-advanced users). This would mean I remove the document option, and just evaluate the filters as is for main document if and only if in strict mode.

That kind of feature was requested in the past (#865), and my answer at the time was to install uMatrix which always work in strict mode. The issue in OP here definitely shows that blocking whole pages is in many case often a necessity.

[chrisaljoudi]

@gorhill does it remain a necessity if I implement inline-script blocking for Safari?

[gorhill]

@chrisaljoudi I think yes. If it wasn't for ABP filter semantic, I would probably have done it like in uMatrix. There are benefits to block completely by default a connection for to a bad site -- especially for non-advanced users, because these non-advanced users are even less likely to have globally disabled scripting.

For example I am testing the behavior if it blocks by default the root document with the filter lists as is, and I see benefit already for when blocking popups: the blocked popup won't even be able to have it's payload loaded in the window, not even a connection to the remote server serving the crappy stuff with which nasty popups are made of.

So currently I am aiming at blocking by default, and to have a setting to fall back to ABP mode if someone chooses so, because non-advanced users are the ones to benefit the most from this behavior. So long as it is easy to un-block permanently a site from uBlock's replacement doc in case of false positive, that shouldn't be a problem for anybody I figure.

So I count on the dev build to road-test the idea. The key will be for a user to be able to easily un-block permanently from the replacement doc (it can be done only temporarily currently). I think I will skip publishing a new release next week end so that this is really thoroughly tested for as long as it takes.

[gorhill]

Meanwhile, following @Deathamns comment above, I figure it's better to use the same technique for Chromium, so I had to add a new vAPI.tabs method, which will need to be implemented for other platforms:

vAPI.tabs.replace(tabId, url)

Which purpose is to load a new URL into an existing tab. If the tab does not exist, it's a noop. I didn't want to extend vAPI.tabs.open, it's already complicated enough.

[vassudanagunta]

Newb question: I'd like to help test the dev version on Mac/Safari. How would I do that?

[chrisaljoudi]

@vasvasvas right now that's not possible unless you build it yourself, unfortunately.

[lewisje]

I remember proposing a different option name, $main, for whole-site blocking, precisely because $document was used for a different purpose (maybe main could be used in a whitelist to mean "allow matching URLs to be loaded from the address bar, but not necessarily any sub-resources" while document in a whitelist, in ABP, means "allow all sub-resources to be loaded if the URL in the address bar matches").

With that said, your implementation of whole-site blocking overcomes the issues I ran into when I was hacking away at ABP in 2013, because it allows people to temporarily go through anyway in case of false positives (for example, if you're trying to view a forum about AdSense and it gets blocked).

[drm200]

I'm doing some testing with uBlock ... I have one dynamic rule only: * * * block

I thought that this would block all pages/domains from loading ... But it does not ... if i enter a url like: www.facebook.com ... a portion of the webpage still downloads and loads. If I look at the network log I find that the type "doc" is not being blocked for facebook.com ..

If I understand from the above conversation ... the root page (the "doc" type as shown in the log) is the cause for this ... What is not clear, is how I can work around this problem and block any/all network activiity with the blocked domains. Is this possible with uBlock?