-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ghostery causing PWA install prompt spam #1582
Comments
Maybe this isn't scary and caused by something else - but it does seem to only repro with ghostery. |
There is definitely a Chromium bug, but this extension seems to make everything worse.... might be a bug here too. |
@dmurph Thank you for your report! When reproducing I was able to crash Chromium, so something is definitely off. Was able to identify that it is one of Ghostery core features - the Never-Consent that triggers the Chromium bug. As you have correctly noticed, this feature emulates user gestures to interact with Consent Managers to opt-out from all tracking on users behalf. So Ghostery the functionality works as expected. For your information, this feature is implemented by the autoconsent library. I've notified their authors as more user, beyond Ghostery may be affected. Will look into this deeper, maybe we can identify a rule that is responsible and implement it differently. |
I believe this has to do with the beforeinstallprompt catching a 'user gesture' when it really should never catch one. I guess user gestures are kind of 'on for some amount of time' for every js event? I would love to disable this for this specific event handler call, not sure how to do that yet. |
Circling back here - I don't see an obvious way to prevent user activation detection on a specific event listener. It does seem like having the ghostery extension installed with the autoconsent library causes more events to have the 'user activation' gesture active. This is a dangerous thing to do, and I hope something else can be implemented instead. By doing this you're opening up the user to dangerous stuff - one example is that website can spam permission requests. Example, various dangerous APIs use this to prevent spamming the user and malicious behavior. WebUSB is another, I believe bluetooth as well? |
More things that can happen:
See more APIs that reference sticky activation here and user activation here. That means something in that spec is guarded on user activation. there may be more terms, I'm not sure (hard to look up list of all things that use user activation). |
Needs more testing, but it looks like it is only an issue on Ghostery 8 (on Chrome). But I think it is not the autoconsent library, and also the upcoming Ghostery 10 version seems to be unaffected. (For details, see duckduckgo/autoconsent#443 (comment)) To simplify testing, we can use the test site that @dmurph has created:
With Ghostery 8 (on Chrome), I get the "install app" popup. However, with Ghostery 10 (built locally following the steps in https://github.com/ghostery/ghostery-extension/tree/main/extension-manifest-v3), I cannot reproduce any longer. |
Can also be reproduced with Ghostery 8 on Edge, but again not with Ghostery 10. Same with Opera, which is already using Ghostery 10. Since we submitted Ghostery 10 to review on Edge, it will show if it solves the problem. For now, I will update the tags: removing NeverConsent, but adding Ghostery 8. |
Thanks so much for the debugging! |
Removing the "edge" label, since Ghostery 10 has been released on Edge. |
@philipp-classen I am able to repro in Edge Canary 127.0.2599.0 with Ghostery 10.3.2 though this time the spamming has stopped. The prompt shows up once ~5 clicks with @dmurph's example site https://motley-petite-friday.glitch.me/ |
That behavior is unfortunately the chromium bug, so currently that is WAI according to spec |
Ghostery 10 has just been released on Chrome. With that it should be fixed on all platforms. (Firefox is still on Ghostery 8, but it is not affected.) |
@dmurph Feel free to re-open if the issue still exists in v10.x version of the extension. |
Hello,
Sites that are promotable and use the beforeinstallprompt API can spam ghostery users with install prompts. They just have to specify this as their beforeinstallprompt event handler:
Example: https://parkseed.com/, click on any link from their menu bar.
During normal operation, this should simply print the following to the console:
With ghostery installed, it does this, AND somehow the 'prompt()' call here is activated, meaning that ghostery has somehow caused this event handler to be fired again with the 'user gesture' flag set.
So the simple test case is:
Expected:
Actual:
As a separate note.... it's pretty concerning that Ghostery is triggering javascript even listener code and pretends to be a user gesture. This user gesture flag is used to prevent malicious API usage that at a minimum spams the user, like the PWA install prompt. Can whatever functionality that needs to do this be redesigned, or at least locked down so it doesn't call any random even listener again? This is pretty scary.
Corresponding chromium issue: https://crbug.com/338254614
Test site: https://motley-petite-friday.glitch.me/
The text was updated successfully, but these errors were encountered: