Airbnb: The Map isn't loading

[KommX]

When you look for rooms on Airbnb PB is blocking the overview on the right-Hand side.
I think the problem is, that bat.bing.com is blocked.

[wbolster]

i just ran into the same issue. i can confirm that allowing bat.bing.com makes the map (which is google maps, not bing maps, which may be confusing) work again.

[cowlicks]

Yeah, looks like bat.bing.com is setting a tracking cookie.

[ghostwords]

bat.bing.com/bat.js seems like a great candidate for a surrogate script (#400), but this case is tricky as airbnb.com has a conflicting Content Security Policy:

Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJd2luZG93LlVFVCA9IHt9Owp9KCkpOw==' because it violates the following Content Security Policy directive: "script-src 'sha256-0yz+cTJB9dGbTWjsgzyh1CkrT+e9plrZ4Ae9pWw5eGM=' 'sha256-rfTud2kTm0UjtJ6PqxcrkglfrUD4H8WCcS9mCs6PJ5s=' 'self' https: 'unsafe-eval' 'unsafe-inline' http:".

Should scripts returned via chrome.webRequest redirection be bound by page CSP directives in the first place?

[ghostwords]

We should probably yellowlist bat.bing.com as a stopgap.

[ghostwords]

We could also solve this by abusing the multi-domain third-parties (MDFPs) list and adding ['bing.com', 'airbnb.com'] to it.

The advantage of this would be to minimize your exposure to bing.com; yellowlisting still loads domain resources and allows for tracking yellowlisting doesn't protect against (pixel tracking for example, which I think bat.bing.com does). Better to allow tracking only across one site than across all sites on the Web.

Practically speaking, does yellowlisting protect against bat.bing.com's tracking? Should see whether we can find any tracking identifiers (in their GETs/POSTs) persist before and after yellowlisting.

Are there downsides to redefining MDFPs to include site-specific exceptions, not just domains belonging to the same entity? The name would no longer be accurate for one ... Would allow airbnb.com resources on bing.com domains, which we don't intend. Could do it, note the limitations, and plan to replace with a better site-specific exceptions system in the future.

[cowlicks]

@ghostwords While what your are suggesting would work, I think it would be better done outside of the MDFP system.

Currently PB has no way to add sets rules for a third party tracker on a specific origin i.e. bat.bing.com on airbnb.com. I think there is a case to me made against developing such a system since it is done much better by things like uBlock origin.

I'm looking into adding a surrogate for this case, however airbnb has a CSP that prevents script tags from using data URI's. uBlock Origin modify's pages' CSP to allow this. But we don't do this, nor do I think we should because this could open up some XSS issues.

[ghostwords]

Yes, I noted the CSP conflict above. Which CSP directive are we violating exactly though? Is there a safe way to add our script(s) to the site's CSP? (Does uBlock do it in a safe way?)

[cowlicks]

Actually, from what I can tell, uBlock doesn't modify the CSP to allow injecting the surrogate with data URI.

It violates 'script-src', we'd have to add data a scheme source, or whitelist the script we are surrogating with a nonce or hash. But there are problems with this approach.

I'm looking into a few ways to do this properly.

[cowlicks]

Things are not looking good on the chrome bug tracker https://bugs.chromium.org/p/chromium/issues/detail?id=749236#c5

I'm going to add a surrogate and put it in its own file, like they suggest. However this is a bad suggestion.

[cowlicks]

blocking bat.bing.com/bat.js no longer breaks airbnb for me. Please reopen this issue if you find this to be incorrect. I'll make a separate issue for making a surrogate for bat.js