Add a scriptlet to set any of data attribute src of img

[Yuki2718]

Prerequisites

• I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
• This is not a support issue or a question. For any support, questions or help, visit /r/uBlockOrigin.
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• The issue is not present after disabling uBO in the browser.
• I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

• uBO is the only extension.
• uBO uses default lists and settings.
• using a new, unmodified browser profile.

Description

Related issues:
AdguardTeam/AdguardFilters#132525 (uBlockOrigin/uAssets#15341)
AdguardTeam/AdguardFilters#132814
AdguardTeam/AdguardFilters#132922
(past)
uBlockOrigin/uAssets#13982 (AdguardTeam/AdguardFilters#119946)

These sites set data-sco-src attribute as real image path and lazyload images only if ads are unblocked. Currently there's no way for uBO to fix this other than whitelisting, but on AG this rule works: youpouch.com,rocketnews24.com#%#AG_onLoad(function(){const a=document.querySelectorAll("img[data-sco-src]");a.forEach(a=>{const b=a.getAttribute("data-sco-src");a.setAttribute("src",b),a.style.opacity="1"})});. This is not the first time I see the technique: although no more reproducible, syosetu.top in uBlockOrigin/uAssets#13982 did the same and as you see in mapx-'s commit there was no way other than whitelisting syosetu.top/cdn-cgi/zaraz/s.js which is a real ad script. Given this is used at least twice by differnt groups, I guess we should have a generic way to counter. Pls note, rocketnews24.com and its sister sites are now in ongoing cat-and-mouse game and I guess they started kinda A/B test. You may not be able to reproduce due to this and I myself took some time to take the screenshot.

A specific URL where the issue occurs.

https://rocketnews24.com/2017/01/20/852372/

Steps to Reproduce

1. Visit the site and if some images are not loaded, see they have data-sco-src attribute and are lazyloaded only if bunch of whitelists (in Japanese filters) are added.
2. If loaded fine, that's a case data-sco-src is not set and currently rocketnews24.com##+js(set, navigator.webdriver, true) is working fine. IDK what can be done.

Expected behavior

We should have a scriptlet like ##+js(set-src, data-sco-src, .lazy)

Actual behavior

Not available

uBO version

1.44.4

Browser name and version

Chrome 107.0.5304.88

Operating System and version

Windows 10

[gorhill]

sites are now in ongoing cat-and-mouse game

Meaning that if I would add such scriptlets (which is frowned upon here security-wise because it's about creating information which didn't exist), those sites would move to doing something else which would render those worrying scriptlets pointless? How is it worth it after all?

[Yuki2718]

As I wrote, the technique was also used in uBlockOrigin/uAssets#13982 in past. This is a kind of something those who implment anti-adb can generally think of. As to security concern, it does not actually add non-existent: it sets data attribute set by the site as src. Probably it can be restricted to work only for img tag and only if the data attribute is valid image URL.

[gorhill]

Ok, so it's about moving a value from one to-be-specified attribute to the src attribute. Probably best to also limit to specific tags, i.e. img, video, audio.

[uBlock-user]

For rocketnews, *$script,redirect-rule=noopjs,3p,domain=rocketnews24.com works.

[Yuki2718]

For rocketnews, *$script,redirect-rule=noopjs,3p,domain=rocketnews24.com works.

More specifically ||fundingchoicesmessages.google.com^$script,redirect=noop.js,domain=rocketnews24.com,important so they kinda returned to uBlockOrigin/uAssets#15341 (comment) . I'll adjust.

[stephenhawk8054]

Looks like same situation happens for soranews24.com too. I'm not sure if there are other better options?

uBlockOrigin/uAssets@dc60c26

[Yuki2718]

Another case this is/was useful: AdguardTeam/Scriptlets#106 (comment)

[mtxadmin]

uBlockOrigin/uAssets#18851

Thanks to @MasterKia for pointing to this feauture request.

[gorhill]

I added set-attr as per AdGuard's set-attr scriptlet.

However I extended the possible value: If the value starts and ends with square brackets, i.e. [identifier], the scriptlet in uBO will lookup the attribute identifier on the same element and use the result as the value to use for the attribute to be set -- so essentially this allows to copy the value of one attribute to another attribute on the same element.

[MasterKia]

https://github.com/uBlockOrigin/uBlock-issues/wiki/Resources-Library#set-attrjs-

[krystian3w]

Still many new is undocumented also we shouldn't created pointed list with only 1 position.

[krystian3w]

Also this is danger:

correlation:

<link href="foo.css" disabled>

In that method possible disable run css form file at all in Firefox/Chrome by:

foo.bar##+js(set-attr, link, disabled, true)

• caniuse.com/mdn-html_elements_link_disabled
• www.w3schools.com/jsreF/prop_link_disabled.asp
• www.geeksforgeeks.org/html-link-disabled-attribute/

Maybe better avoid inject attribute disabled on any <link>.

[Yuki2718]

Confirmed

rocketnews24.com,soranews24.com,youpouch.com##+js(nostif, rejectWith)
rocketnews24.com,soranews24.com,youpouch.com##+js(set-attr, .lazy, src, [data-sco-src])
rocketnews24.com,soranews24.com,youpouch.com##div[id$="content"] img.lazy:style(opacity: 1 !important;)
youpouch.com##.post-content img.lazy:style(opacity: 1 !important;)

solve the problem in Private window still not fixed despite reported. ##+js(nostif, rejectWith) or any alternatives I tried has side effect of regression in share buttons which can be mitigated (but not totally fixed) with ##div[id^="post-"]:remove-class(hidden_share). I regard this as neglibigle and will add the rules. Hm, a problem is they rather break images if set-attr doesn't work (older uBO). Not sure if I should add.