Fix #881 fix #1275 fix #2054

[jspenguin2017]

Add new scriptlet to auto-accept cookie notices.

Fixes:
#881
#1275
#2054

[mapx-]

@gorhill

[gorhill]

I want to think more about this, basically I want to figure what could go wrong by having filters which can automatically click stuff. These make me uncomfortable. My first thought is that this should at least apply only to visible elements. The question to answer is how could this be misused by either filter list maintainers or site owners.

[jspenguin2017]

Yea... I was hesitating about this for a while too, but since it only scan the DOM once and the click isn't trusted, I guess it's safe enough. I don't think this is any more dangerous than set-constant.js.

[jspenguin2017]

How do you like the idea of privileged filters? Scriptlets that are on the line of being too overpowered are guarded behind a privileged flag, so only trusted filters can use them.

[migueldemoura]

I haven't tested this, but having scriplets that can essentially execute requests sounds like a really bad idea.

Please correct me if I'm wrong, but from this example taken from the updated annoyances.txt:
hardware.info##script:inject(nano-click-elements-onready.js, .cookiecontainer > .cookie > button#decision[name="accept"])

What if I replace that button by a "delete account" or "accept X" button? Or any other with side-effects?

You can even chain requests with this, all bypassing request tokens and the like. This is potentially dangerous.

[jspenguin2017]

Yea... I'll mark the script snippet as privileged.

[jspenguin2017]

Actually, that was my proposal, @gorhill do you want a "privileged scriptlet" system in uBO? I can PR.

[migueldemoura]

Can you elaborate on how that'd work, @jspenguin2017? Those filters would have to come from uAssets?

[gorhill]

No for now I prefer not to pull this, privileged or not, especially that the only cases this solves are merely in the annoyance category.

[jspenguin2017]

Alright.

[jspenguin2017]

@migueldemoura
When compiling filters, if the filter list is not privileged and it references a privileged resource, the rule is discarded.

More info:
https://github.com/NanoAdblocker/NanoCore/blob/master/notes/advanced-settings.MD#_nanomakeuserfiltersprivileged-toggleable
https://github.com/NanoAdblocker/NanoCore/blob/master/src/js/nano-bg.js#L100

Also, here's the patch on my side.
NanoAdblocker/NanoCore@5aa05d6

[migueldemoura]

Got it, thanks @jspenguin2017.

[DrIT2016]

@jspenguin2017 since these new scriptlets the cookiewall isn't blocked anymore on some sites (e.g marktplaats and hardware.info). Can you please have a look?
Still using uBlock with advanced userResourcesLocation "https://raw.githubusercontent.com/NanoAdblocker/NanoFilters/master/NanoFilters/NanoResources.txt" and filter "https://raw.githubusercontent.com/NanoAdblocker/NanoFilters/master/NanoFilters/NanoAnnoyance.txt"

[jspenguin2017]

@DrIT2016
Because uBO is not aware of privileged scriptlets, I can't allow them to run in uBO for security reasons.
All privileged scriptlets start with nanop-, which includes nanop-click-elements-onready.js and nanop-easy-set-cookie.js that are designed to deal with cookie walls.

[DrIT2016]

So because of these changes it is no longer possible to let this advanced cookie blocking working in uBO? That's a real pity, i liked it. So only way to let it work now is use the nanoadblocker?

[jspenguin2017]

@DrIT2016
Security first, @migueldemoura had a good point so for now nanop- scriptlets will only work in Nano.
Maybe it'll change in the future but that's up to @gorhill .