uBlock Origin getting a bit old?

[JustOff]

It's known that both Gecko and Goanna-based browsers suffer from a bug that prevents executing of inline-scripts (scriptlets) inserted by add-ons on sites with a strict content security policy (CSP). To workaround this issue I created an extension called Scriptlet Doctor, which can be particularly useful to overcome this limitation when using blockers like uBlock Origin.

By default, Scriptlet Doctor alters CSP only for a specific list of domains that can be configured. Currently, this list is pre-filled with domains requested by RU AdList admin, therefore it will be helpful primarily for the Russian-speaking audience. Partly for this reason, I have not yet decided whether I will submit it on the Pale Moon Add-ons Site, but keep in mind that it can come in handy in similar situations.

[Moonchild]

It's known that both Gecko and Goanna-based browsers suffer from a bug that prevents executing of inline-scripts (scriptlets) inserted by add-ons on sites with a strict content security policy (CSP).

That isn't a bug! Scriptlets that are injected into pages where this is CSP-prevented is the browser doing exactly what it is supposed to be doing. The page owners use strict CSP policies to prevent script injection to protect from XSS and hey guess what? It's working!
It doesn't matter that the source of the script isn't some 3rd party web resource. XSS is XSS regardless of the source of the script (including, e.g. using devtools to manually paste something in).

So please understand that this isn't a bug and shouldn't be called as such. Of course the extension is fine if you want to solve this by manipulating CSP on a site-by-site basis for your purposes, but understand it doesn't fix something, but rather changes those sites' policies to allow manipulation of content that the website owners want to prevent.

[JustOff]

That isn't a bug! Scriptlets that are injected into pages where this is CSP-prevented is the browser doing exactly what it is supposed to be doing.

I'm afraid you are wrong, the CSP spec is explicit about whether CSP should affect extensions:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].

Moreover, applying CSP to these kinds of features produces a substantial amount of noise in violation reports, significantly reducing their value to developers.

Chrome, for example, excludes the chrome-extension: scheme from CSP checks, and does some work to ensure that extension-driven injections are allowed, regardless of a page’s policy.

[Moonchild]

I'm afraid you're not interpreting it the same way then. The spec is explicit to at all times keep the user in control if they so wish, and not allow page creators to lock down pages.
CSP can't interfere with extensions themselves, but it can (and should!) interfere with modified content resulting from the use of them. Injected page code is not part of the extension, it is part of the page, which CSP is supposed to protect.
It for example won't prevent your extension from changing its policy or modifying page code with disabled safeguards as a result.

[JustOff]

Sorry, but I interpret the spec just like Mozilla and Chromium developers do.

Chrome, for example, excludes the chrome-extension: scheme from CSP checks, and does some work to ensure that extension-driven injections are allowed, regardless of a page’s policy.

And Mozilla acknowledged the issue in bug #1267027 four years ago, although it still remains unresolved.

[Moonchild]

Well if you all think it should be interpreted that way, then that's fine with me -- although I'm not sure off-hand how this could be implemented without breaking CSP security or making the code unnecessarily fragile.

[JustOff]

I'm not sure off-hand how this could be implemented without breaking CSP security or making the code unnecessarily fragile.

Unfortunately, neither do I, and therefore I had to create an add-on, even understanding all the shortcomings of such an approach.

[Moonchild]

I think it's a decent compromise, as long as it remains whitelist-controlled.

[shevy]

Hmmm. I use palemoon and used the old legacy extension for ublock origin
but right now on a fresh installation, I can not find it. I think this may become
a problem over time for more people. In the long run perhaps something
could be done here.

I myself don't know enough Javascript to really help. But in theory it should
be possible to have per-element filters on the level of the palemoon codebase
or? And then perhaps allow people to maintain the filters on their own, with
some way to specify which filter to use. gorhill has no time to maintain the
legacy code and wrote several times on github that people are welcome
to setp up, but he has no time to do so, which I can understand.

[back2themoon]

Hmmm. I use palemoon and used the old legacy extension for ublock origin but right now on a fresh installation, I can not find it.

https://github.com/gorhill/uBlock-for-firefox-legacy

[New Tobin Paradigm]

There.. I added an external set for Pale Moon and Basilisk's Add-ons sites. Do make sure you have the updater extension by JustOff as well.

[JustOff]

I'm pleased to announce that starting from version 1.16.4.17 released today, uBlock Origin for Firefox legacy-based browsers can auto-update itself without any additional tricks. This also means that uBlock Origin Updater is becoming obsolete, and I'm going to make it so that it uninstalls itself on the next update.

[back2themoon]

...and I'm going to make it so that it uninstalls itself on the next update.

Self-destructing extension? So cool. Thanks JustOff.

[nikola_ss]

Thanks JustOff.

[Tomaso]

Thanks again, for all of your work, JustOff!

The Legacy version has still got a few major flaws though, which has been fixed in the Chromium branch a long time ago.
It would probably take a lot of work to get those fixes ported though, so I don't know if it would be realistic to hope for it?

[Marcus]

Thanks JustOff.

[JustOff]

The Legacy version has still got a few major flaws though, which has been fixed in the Chromium branch a long time ago.
It would probably take a lot of work to get those fixes ported though, so I don't know if it would be realistic to hope for it?

I have to say that personally I'm mostly satisfied with how it works now and I don't see any "major flaws" you mentioned. Fortunately, now we have a dedicated repo where you can open and discuss your issues. Please don't get me wrong, I will continue to devote part of my time to this, but recent changes to the project don't mean that I'm going to take any official status, and of course it would be great if more people joined to help.

[Tomaso]

I don't see any "major flaws" you mentioned.

For instance, there are several issues, which causes things to be missing from uBO's logger.
This is a major problem for me, since I report filter issues, almost on a daily basis.
--

recent changes to the project don't mean that I'm going to take any official status

I totally understand, and I personally can't thank you enough for all the things you've done for uBO already! :)

[Nightbird]

@ JustOff


I installed the last version v1.16.4.17
Maybe it would be possible to change 2 links :

Tab About
Change log =>
presently : https://github.com/gorhill/uBlock/releases
=> https://github.com/gorhill/uBlock-for-f ... y/releases

Support =>
presently : https://www.reddit.com/r/uBlockOrigin/
=> https://github.com/gorhill/uBlock-for-f ... acy/issues

Thanks again.

edit : and this one
Source code (GPLv3) =>
presently : https://github.com/gorhill/uBlock
=> https://github.com/gorhill/uBlock-for-firefox-legacy

[coffeebreak]

JustOff, Thank you for your work on this extension.
It is very much appreciated.