Allow WASM files by default? (discussion)

[fschutt]

URL(s) where the issue occurs

https://edwin0cheng.github.io/unrust/demo/sponza/
https://aochagavia.github.io/rocket_wasm/

(disable the uBlock to see the actual games)

Describe the issue

The problem is that UBlock Origin seems to block all .wasm files by default. This is problematic if WASM wants to be a competitor / replacement for JavaScript (as many people would like it to be). Right now UBlock simply blocks all .wasm files, even though many are not malicious or serve ads, but are rather a replacement for JavaScript files, notably for web games and generally speeding up heavy computations on websites.

Not many users want to be told to disable their AdBlocker to run WASM, which is understandable. I think that WASM files should be handled equally to JS files - if they do contain ads, they get put on a list and get blocked. However, blocking all WASM content is IMO a major inconvenience - many people report the website as "not working", while in reality it's just their ad blocker. So in the end, browsers can support WASM, but if the ad blocker blocks them - not many users will disable uBlock, just to make the page work. Therefore WASM won't gain any traction from developers since it gets blocked by default, but the equivalent JavaScript doesn't get blocked, so developers will continue to use JavaScript and deliver slower than necessary pages.

I wanted to ask if the uBlock Team could allow WASM files by default and if not, what the reasons for this decision are. I am not affiliated with any marketing / ad company, just wanted to ask.

Versions

• Browser/version: Chrome 66.0.3359.139
• uBlock Origin version: v1.16.4

Settings

No changes, default uBlock Origin install:

{
  "timeStamp": 1526512484683,
  "version": "1.16.4",
  "userSettings": {
    "advancedUserEnabled": false,
    "alwaysDetachLogger": false,
    "autoUpdate": true,
    "cloudStorageEnabled": false,
    "collapseBlocked": true,
    "colorBlindFriendly": false,
    "contextMenuEnabled": true,
    "dynamicFilteringEnabled": false,
    "externalLists": [],
    "firewallPaneMinimized": true,
    "hyperlinkAuditingDisabled": true,
    "ignoreGenericCosmeticFilters": false,
    "largeMediaSize": 50,
    "parseAllABPHideFilters": true,
    "prefetchingDisabled": true,
    "requestLogMaxEntries": 1000,
    "showIconBadge": true,
    "tooltipsDisabled": false,
    "webrtcIPAddressHidden": false
  },
  "selectedFilterLists": [
    "user-filters",
    "assets.json",
    "public_suffix_list.dat",
    "ublock-resources",
    "ublock-filters",
    "ublock-badware",
    "ublock-privacy",
    "ublock-abuse",
    "ublock-unbreak",
    "easylist",
    "easyprivacy",
    "malware-0",
    "malware-1",
    "plowe-0",
    "DEU-0"
  ],
  "hiddenSettings": {
    "assetFetchTimeout": 30,
    "autoUpdateAssetFetchPeriod": 120,
    "autoUpdatePeriod": 7,
    "ignoreRedirectFilters": false,
    "ignoreScriptInjectFilters": false,
    "manualUpdateAssetFetchPeriod": 500,
    "popupFontSize": "unset",
    "suspendTabsUntilReady": false,
    "userResourcesLocation": "unset"
  },
  "netWhitelist": "about-scheme\naochagavia.github.io\nchrome-extension-scheme\nchrome-scheme\njsdw.github.io\nlivesplit.github.io\nmoz-extension-scheme\nmsorvig.github.io\nopera-scheme\nvivaldi-scheme\nwyciwyg-scheme\nyoutube.com/*user=sentdex",
  "dynamicFilteringString": "behind-the-scene * * noop\nbehind-the-scene * inline-script noop\nbehind-the-scene * 1p-script noop\nbehind-the-scene * 3p-script noop\nbehind-the-scene * 3p-frame noop\nbehind-the-scene * image noop\nbehind-the-scene * 3p noop",
  "urlFilteringString": "",
  "hostnameSwitchesString": "no-large-media: behind-the-scene false",
  "userFilters": "! 25.4.2018, 07:40:15 https://www.pinterest.at/pin/329818372685562420/\nwww.pinterest.at##.FullPageModal__scroller\n\n! 25.4.2018, 07:40:21 https://www.pinterest.at/pin/329818372685562420/\nwww.pinterest.at##div:nth-of-type(2) > div > div > div:nth-of-type(1) > div:nth-of-type(3)\n\n! 25.4.2018, 07:40:29 https://www.pinterest.at/pin/329818372685562420/\nwww.pinterest.at##body > div:nth-of-type(1) > div > div > div:nth-of-type(1) > div:nth-of-type(3)\n"
}

[okiehsch]

It is blocked by EasyPrivacy with this filter

/.*(\/proxy|\.wasm|\.wsm|\.wa)$/$xmlhttprequest,domain=github.io|rawgit.com|reactor.cc|sickrage.ca|streamplay.to|tubetitties.com|vidfile.net

That means wasm is blocked by default only for the mentioned domains, I do not know why github.io
is one of those domains, probably some where used for crypto-mining purposes, you would have to ask
them.
https://github.com/easylist/easylist

[smed79]

because of the coin mininig https://forums.lanik.us/viewtopic.php?p=133703#p133703

[fschutt]

Okay, so it's not every WASM file, thanks. But wouldn't it be more reasonable to just block the miner scripts specifically and not github.io globally?

[okiehsch]

Like I said it is not my decision, EasyPrivacy has added that filter, though I agree that blocking wasm on all github.io sites is not necessary in my opinion, unless the use of github.io for mining purposes is widespread.
Bearing in mind that github.io sites will have many sites that use wasm for "legitimate" purposes, your example links are a case in point.
@smed79 do you have some "mining" example links?

[smed79]

do you have some "mining" example links?

https://twitter.com/bad_packets/status/957014570085724161

It seems that @github does not care :-/

april-js.github.io
blue-js.github.io
cryweb.github.io
crywebber.github.io
dmitrovna.github.io
dynya-may.github.io
inmu-kun.github.io
marta-js.github.io
mas-onjs.github.io
may-js.github.io
mjija.github.io
my-deltaplan.github.io
ohac.github.io
one-jj.github.io
pizz-tuna.github.io
red-js.github.io
techhome-js.github.io
three-jj.github.io
two-jj.github.io

@ryanbr

[okiehsch]

Well, the site mentioned on twitter - sorteosrd.com - is actually still using a miner, now unrelated to any github.io domain.

[okiehsch]

I still think blocking those github.io domains makes more sense then blocking wasm by default.
@gorhill what do you think about this issue?

[ryanbr]

my thoughts, github arent helping the spread of coin miners using github. the moment we blocked one github address, they'll just cloned many more domains. I'm open to other options, but this method was best way to limit/counter it.

[ryanbr]

tl;dr i'm not going to maintain revolving github domain coinminers 24/7.

[okiehsch]

I'm open to other options

What about using *$csp=worker-src 'none',domain=example.com to disable the mining at example.com
They can use as many github.io domains as they like, there will be no more mining and you now use csp.

[ryanbr]

The bonus here, we eliminate coin miners from sites that aren't known to us. To be honest, I've seen little issues with this (updated) filter. smed79's list of github domains is just small segment of coinmining issue with github. The other option we could tweak the filter to be a little more specific to avoid false positives.

[okiehsch]

smed79's list of github domains is just small segment of coinmining issue with github.

I did not know that the mining issue is a widespread phenomenon on github.io, if that is the case github should do something about it first and foremost in my opinion.

[ryanbr]

agreed.

[ryanbr]

Not sure why this issue report was edited,and my comments removed. Its not a badfilter. Basically this commit will allow coinminer's to sleep easy tonight knowing uBo will allow them to run.

[okiehsch]

I did not remove any of your comments, they are still here and the commit still blocks all wasm requests on github.io except the two domains mentioned by the OP

edwin0cheng.github.io
aochagavia.github.io

[okiehsch]

I just tested it again, unless you are telling me that those two domains are actually used for
cryptomining, I have no clue what

coinminer's to sleep easy tonight knowing uBo will allow them to run

means.

[pushwss]

@ryanbr Please 🙏 shutdown 🙊 and leave this discussion 💥.

[gorhill]

The tweet says:

https://cryweb.github[.]io/ppt/media.js?proxy=ws://crypto-webminer.com:8892?pool=pool.etn.spacepools.org:1111

Can't we use that information to make the filter more specific? (example: ||github.io^*?proxy=ws://crypto-webminer.com)

Blocking all WASM resources on GitHub by default is going to become more and more of an issue. See https://twitter.com/Doomed_Daniel/status/1001521553157378053.

Also, the current filter is sub-optimal, an untokenizable regex-based filter.

[KnicKnic]

@okiehsch

easylist updated their filter to not block github wasm in commit easylist/easylist@5e6a19c does anything need to be done on ublock origin to pick it up, or is it automatic?

If it is automatic how long does it take?

[okiehsch]

easylist updated their filter to not block github wasm in commit easylist/easylist@5e6a19c
does anything need to be done on ublock origin to pick it up, or is it automatic?

I am not sure I understand. the updated filter in EasyList

/.*(\/proxy|\.wasm|\.wsm|\.wa)$/$websocket,xmlhttprequest,domain=reactor.cc|sickrage.ca|sorteosrd.com|streamplay.to

means that this filter will only be applied at the mentioned domains.
They have removed github.io, so .wasm requests will not be blocked.

For uBO users nothing changes.

[KnicKnic]

@okiehsch correct

does anything need to be done on ublock origin to pick up the change, or is it automatic?

If it is automatic how long does it take?

[okiehsch]

If you mean the updated EasyList filter, that list automatically updates every 4 days.

The old EasyList filter was already disabled by uBO-unbreak so no uBO-user will see a difference.

[okiehsch]

You can manually update any list by clicking the clock icon next to it and then click "Update Now".
https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists#update-now

[KnicKnic]

If you mean the updated EasyList filter, that list automatically updates every 4 days.

The old EasyList filter was already disabled by uBO-unbreak so no uBO-user will see a difference.

@okiehsch

uAssets/filters/unbreak.txt

Lines 981 to 986 in 0390dfb

	! https://github.com/uBlockOrigin/uAssets/issues/2309
	/.*(\/proxy|\.wasm|\.wsm|\.wa)$/$websocket,xmlhttprequest,domain=~aochagavia.github.io|~edwin0cheng.github.io|github.io|rawgit.com|reactor.cc|sickrage.ca|sorteosrd.com|streamplay.to|tubetitties.com|vidfile.net,badfilter
	/proxy|$third-party,websocket,xmlhttprequest,domain=github.io|rawgit.com|streamplay.to|tubetitties.com|vidfile.net
	.wasm|$third-party,websocket,xmlhttprequest,domain=github.io|rawgit.com|streamplay.to|tubetitties.com|vidfile.net
	.wsm|$third-party,websocket,xmlhttprequest,domain=github.io|rawgit.com|streamplay.to|tubetitties.com|vidfile.net
	.wa|$third-party,websocket,xmlhttprequest,domain=github.io|rawgit.com|streamplay.to|tubetitties.com|vidfile.net

seems to add the rule.

I can repro the problem by going to https://knicknic.github.io/wasm-imagemagick/index.1.2.3.html

that was fixed in easylist/easylist@5e6a19c

[gorhill]

They changed the filter in EasyPrivacy to:

/.*(\/proxy|\.wasm|\.wsm|\.wa)$/$websocket,xmlhttprequest,domain=reactor.cc|sickrage.ca|sorteosrd.com|streamplay.to

So we need to update the badfilter.