uBlock Origin getting a bit old?

General discussion, compatibility and contributed extensions.

Moderators: Lootyhoof, FranklinDM

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2083
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: uBlock Origin getting a bit old?

Post by JustOff » 2020-02-03, 22:53

It's known that both Gecko and Goanna-based browsers suffer from a bug that prevents executing of inline-scripts (scriptlets) inserted by add-ons on sites with a strict content security policy (CSP). To workaround this issue I created an extension called Scriptlet Doctor, which can be particularly useful to overcome this limitation when using blockers like uBlock Origin.

By default, Scriptlet Doctor alters CSP only for a specific list of domains that can be configured. Currently, this list is pre-filled with domains requested by RU AdList admin, therefore it will be helpful primarily for the Russian-speaking audience. Partly for this reason, I have not yet decided whether I will submit it on the Pale Moon Add-ons Site, but keep in mind that it can come in handy in similar situations.
Here are the add-ons I made in a spare time. That was fun!

If you have any questions or problems regarding the migration of my extensions to GitHub, feel free to contact me through a PM.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29277
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: uBlock Origin getting a bit old?

Post by Moonchild » 2020-02-04, 09:39

JustOff wrote:
2020-02-03, 22:53
It's known that both Gecko and Goanna-based browsers suffer from a bug that prevents executing of inline-scripts (scriptlets) inserted by add-ons on sites with a strict content security policy (CSP).
That isn't a bug! Scriptlets that are injected into pages where this is CSP-prevented is the browser doing exactly what it is supposed to be doing. The page owners use strict CSP policies to prevent script injection to protect from XSS and hey guess what? It's working! :)
It doesn't matter that the source of the script isn't some 3rd party web resource. XSS is XSS regardless of the source of the script (including, e.g. using devtools to manually paste something in).

So please understand that this isn't a bug and shouldn't be called as such. Of course the extension is fine if you want to solve this by manipulating CSP on a site-by-site basis for your purposes, but understand it doesn't fix something, but rather changes those sites' policies to allow manipulation of content that the website owners want to prevent.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2083
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: uBlock Origin getting a bit old?

Post by JustOff » 2020-02-04, 10:00

Moonchild wrote:
2020-02-04, 09:39
That isn't a bug! Scriptlets that are injected into pages where this is CSP-prevented is the browser doing exactly what it is supposed to be doing.
I'm afraid you are wrong, the CSP spec is explicit about whether CSP should affect extensions:
Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].

Moreover, applying CSP to these kinds of features produces a substantial amount of noise in violation reports, significantly reducing their value to developers.

Chrome, for example, excludes the chrome-extension: scheme from CSP checks, and does some work to ensure that extension-driven injections are allowed, regardless of a page’s policy.
Here are the add-ons I made in a spare time. That was fun!

If you have any questions or problems regarding the migration of my extensions to GitHub, feel free to contact me through a PM.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29277
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: uBlock Origin getting a bit old?

Post by Moonchild » 2020-02-04, 10:58

I'm afraid you're not interpreting it the same way then. The spec is explicit to at all times keep the user in control if they so wish, and not allow page creators to lock down pages.
CSP can't interfere with extensions themselves, but it can (and should!) interfere with modified content resulting from the use of them. Injected page code is not part of the extension, it is part of the page, which CSP is supposed to protect.
It for example won't prevent your extension from changing its policy or modifying page code with disabled safeguards as a result.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2083
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: uBlock Origin getting a bit old?

Post by JustOff » 2020-02-04, 11:18

Sorry, but I interpret the spec just like Mozilla and Chromium developers do.
Chrome, for example, excludes the chrome-extension: scheme from CSP checks, and does some work to ensure that extension-driven injections are allowed, regardless of a page’s policy.
And Mozilla acknowledged the issue in bug #1267027 four years ago, although it still remains unresolved.
Here are the add-ons I made in a spare time. That was fun!

If you have any questions or problems regarding the migration of my extensions to GitHub, feel free to contact me through a PM.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29277
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: uBlock Origin getting a bit old?

Post by Moonchild » 2020-02-04, 12:05

Well if you all think it should be interpreted that way, then that's fine with me -- although I'm not sure off-hand how this could be implemented without breaking CSP security or making the code unnecessarily fragile.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2083
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: uBlock Origin getting a bit old?

Post by JustOff » 2020-02-04, 12:50

Moonchild wrote:
2020-02-04, 12:05
I'm not sure off-hand how this could be implemented without breaking CSP security or making the code unnecessarily fragile.
Unfortunately, neither do I, and therefore I had to create an add-on, even understanding all the shortcomings of such an approach.
Here are the add-ons I made in a spare time. That was fun!

If you have any questions or problems regarding the migration of my extensions to GitHub, feel free to contact me through a PM.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29277
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: uBlock Origin getting a bit old?

Post by Moonchild » 2020-02-04, 14:19

I think it's a decent compromise, as long as it remains whitelist-controlled.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
shevy
Hobby Astronomer
Hobby Astronomer
Posts: 17
Joined: 2019-04-22, 01:05

Re: uBlock Origin getting a bit old?

Post by shevy » 2020-02-06, 18:32

Hmmm. I use palemoon and used the old legacy extension for ublock origin
but right now on a fresh installation, I can not find it. I think this may become
a problem over time for more people. In the long run perhaps something
could be done here.

I myself don't know enough Javascript to really help. But in theory it should
be possible to have per-element filters on the level of the palemoon codebase
or? And then perhaps allow people to maintain the filters on their own, with
some way to specify which filter to use. gorhill has no time to maintain the
legacy code and wrote several times on github that people are welcome
to setp up, but he has no time to do so, which I can understand.

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1865
Joined: 2012-08-19, 20:32

Re: uBlock Origin getting a bit old?

Post by back2themoon » 2020-02-06, 18:39

shevy wrote:
2020-02-06, 18:32
Hmmm. I use palemoon and used the old legacy extension for ublock origin but right now on a fresh installation, I can not find it.
https://github.com/gorhill/uBlock-for-firefox-legacy

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 8927
Joined: 2012-10-09, 19:37
Location: Seriphia Galaxy

Re: uBlock Origin getting a bit old?

Post by New Tobin Paradigm » 2020-02-07, 01:24

There.. I added an external set for Pale Moon and Basilisk's Add-ons sites. Do make sure you have the updater extension by JustOff as well.
How far are you prepared to go? How much are you prepared to risk? How many people are you prepared to sacrifice for victory?
Are you willing to die friendless, alone, deserted by everyone? Because that's what may be required of you in the war that is to come.

Image

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2083
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: uBlock Origin getting a bit old?

Post by JustOff » 2020-02-10, 16:47

I'm pleased to announce that starting from version 1.16.4.17 released today, uBlock Origin for Firefox legacy-based browsers can auto-update itself without any additional tricks. This also means that uBlock Origin Updater is becoming obsolete, and I'm going to make it so that it uninstalls itself on the next update.
Here are the add-ons I made in a spare time. That was fun!

If you have any questions or problems regarding the migration of my extensions to GitHub, feel free to contact me through a PM.

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1865
Joined: 2012-08-19, 20:32

Re: uBlock Origin getting a bit old?

Post by back2themoon » 2020-02-10, 16:51

JustOff wrote:
2020-02-10, 16:47
...and I'm going to make it so that it uninstalls itself on the next update.
Self-destructing extension? So cool. Thanks JustOff.

nikola_ss
Newbie
Newbie
Posts: 6
Joined: 2016-11-26, 04:43

Re: uBlock Origin getting a bit old?

Post by nikola_ss » 2020-02-10, 17:28

Thanks JustOff.

User avatar
Tomaso
Board Warrior
Board Warrior
Posts: 1565
Joined: 2015-07-23, 16:09
Location: Norway

Re: uBlock Origin getting a bit old?

Post by Tomaso » 2020-02-10, 17:56

Thanks again, for all of your work, JustOff! :thumbup:

The Legacy version has still got a few major flaws though, which has been fixed in the Chromium branch a long time ago.
It would probably take a lot of work to get those fixes ported though, so I don't know if it would be realistic to hope for it?

User avatar
Marcus
Fanatic
Fanatic
Posts: 132
Joined: 2016-09-23, 11:58

Re: uBlock Origin getting a bit old?

Post by Marcus » 2020-02-10, 18:28

Thanks JustOff.

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2083
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: uBlock Origin getting a bit old?

Post by JustOff » 2020-02-10, 20:11

Tomaso wrote:
2020-02-10, 17:56
The Legacy version has still got a few major flaws though, which has been fixed in the Chromium branch a long time ago.
It would probably take a lot of work to get those fixes ported though, so I don't know if it would be realistic to hope for it?
I have to say that personally I'm mostly satisfied with how it works now and I don't see any "major flaws" you mentioned. Fortunately, now we have a dedicated repo where you can open and discuss your issues. Please don't get me wrong, I will continue to devote part of my time to this, but recent changes to the project don't mean that I'm going to take any official status, and of course it would be great if more people joined to help.
Here are the add-ons I made in a spare time. That was fun!

If you have any questions or problems regarding the migration of my extensions to GitHub, feel free to contact me through a PM.

User avatar
Tomaso
Board Warrior
Board Warrior
Posts: 1565
Joined: 2015-07-23, 16:09
Location: Norway

Re: uBlock Origin getting a bit old?

Post by Tomaso » 2020-02-10, 21:22

JustOff wrote:
2020-02-10, 20:11
I don't see any "major flaws" you mentioned.
For instance, there are several issues, which causes things to be missing from uBO's logger.
This is a major problem for me, since I report filter issues, almost on a daily basis.
--
JustOff wrote:
2020-02-10, 20:11
recent changes to the project don't mean that I'm going to take any official status
I totally understand, and I personally can't thank you enough for all the things you've done for uBO already! :)

Nightbird
Lunatic
Lunatic
Posts: 270
Joined: 2016-07-18, 21:12

Re: uBlock Origin getting a bit old?

Post by Nightbird » 2020-02-10, 22:03

@ JustOff
:thumbup:

I installed the last version v1.16.4.17
Maybe it would be possible to change 2 links :

Tab About
Change log =>
presently : https://github.com/gorhill/uBlock/releases
=> https://github.com/gorhill/uBlock-for-f ... y/releases

Support =>
presently : https://www.reddit.com/r/uBlockOrigin/
=> https://github.com/gorhill/uBlock-for-f ... acy/issues

Thanks again. :)

edit : and this one
Source code (GPLv3) =>
presently : https://github.com/gorhill/uBlock
=> https://github.com/gorhill/uBlock-for-firefox-legacy
Diversity is key.

Those who forget the past are doomed to repeat it.

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2603
Joined: 2015-09-26, 04:51
Location: U.S.

Re: uBlock Origin getting a bit old?

Post by coffeebreak » 2020-02-11, 00:03

JustOff, Thank you for your work on this extension.
It is very much appreciated.

Locked