Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null/ shows in shields for origin after disabling all origins #1901

Closed
bsclifton opened this issue Oct 30, 2018 · 7 comments
Closed

null/ shows in shields for origin after disabling all origins #1901

bsclifton opened this issue Oct 30, 2018 · 7 comments
Labels
bug closed/duplicate Issue has already been reported feature/shields The overall Shields feature in Brave. needs-investigation A bug not 100% confirmed/fixed priority/P3 The next thing for us to work on. It'll ride the trains. security

Comments

@bsclifton
Copy link
Member

Discovered when reviewing brave/brave-extension#78

Steps to reproduce

  1. Visit vox.com
  2. Use shields to block script. Page refreshes
  3. Open shields, scroll down to Toggle switches to disable script blocking
  4. Toggle all the entries and hit Apply
  5. A mysterious null/ entry shows up

screen shot 2018-10-29 at 9 50 45 pm

Version information

Version 0.57.3 Chromium: 70.0.3538.67 (Official Build) dev (64-bit)
(macOS 10.13.6)
@bsclifton bsclifton added the feature/shields The overall Shields feature in Brave. label Oct 30, 2018
@bsclifton bsclifton changed the title Null shows in shields for origin null/ shows in shields for origin after disabling all origins Oct 30, 2018
@bsclifton bsclifton mentioned this issue Oct 30, 2018
Merged
@diracdeltas diracdeltas added security priority/P3 The next thing for us to work on. It'll ride the trains. labels Oct 30, 2018
@bbondy bbondy added this to the 1.x Backlog milestone Oct 30, 2018
@tildelowengrimm tildelowengrimm added needs-investigation A bug not 100% confirmed/fixed bug priority/P2 A bad problem. We might uplift this to the next planned release. and removed priority/P3 The next thing for us to work on. It'll ride the trains. labels Oct 31, 2018
@diracdeltas
Copy link
Member

as mentioned in brave/brave-extension#78 (comment), the null origin is not allowable no matter how many times one seems to click the 'allow' button.

@tildelowengrimm tildelowengrimm mentioned this issue Nov 8, 2018
Closed
@simonhong
Copy link
Member

simonhong commented Dec 31, 2018
edited
Loading

More findings

  • There is no /null entry after applying once when ads and trackers is set to allowed
  • If one of blocked script is enabled and applied once, /null entry is visible in blocked scripts list.(ads and trackers is set to blocked).

Suspected log (not sure for now)

  • When toggling scripts on shields panel, I saw below log that includes origin 'null' has been blocked by CORS policy.
    • [60182:775:1231/200057.224401:INFO:CONSOLE(0)] "Access to script at 'data:text/plain,' (redirected from 'https://cdn.vox-cdn.com/packs/concert_ads-38fe20caec9bb2f7937e.js') from origin 'null' has been blocked by CORS policy: The response is invalid.", source: https://www.vox.com/ (0)

In this https://www.vox.com, many scripts(not all)https://cdn.vox-cdn.com/ causes /null entry in blocked script list.

Ex, there are two different results depends on ads and trackers blocking condition when allowing once https://cdn.vox-cdn.com/.

  • Below two scripts are loaded when ads and trackers are enabled.
    • https://cdn.vox-cdn.com/packs/concert_ads-38fe20caec9bb2f7937e.js
    • https://cdn.vox-cdn.com/packs/chorus-74016cc9ceb291c43eef.js
  • When ads and trackers are blocked, only https://cdn.vox-cdn.com/packs/chorus-74016cc9ceb291c43eef.js is loaded and https://cdn.vox-cdn.com/packs/concert_ads-38fe20caec9bb2f7937e.js is blocked. Instead /null is added in blocked list.
  • I suspect that some scripts blocked by ads and trackers are added as /null entry in blocked script list.

IMO, scripts blocked by ads and trackers would be in the ads and trackers blocked list instead of blocked script list.
It seems scripts that blocked by ads and trackers are listed in ads and trackers blocked list and /null entry is also added in blocked scripts list.

@simonhong
Copy link
Member

simonhong commented Jan 2, 2019
edited
Loading

I think we can just hiding /null in blocked script list because it is blocked by ads and trackers.
WDYT? @diracdeltas

@diracdeltas
Copy link
Member

@simonhong : why would null always be blocked by ads and trackers? IIRC @yrliou mentioned it could be caused by data:application/javascript;... js sources, which are not necessarily blocked by adblocking/tp to my knowledge.

I also occasionally encounter pages that are broken with script blocking enabled which show null in the blocked scripts list and don't work if i allow all-scripts-except-null, only working if i allow all scripts by turning off script blocking. This seems potentially related

@simonhong
Copy link
Member

simonhong commented Jan 3, 2019
edited
Loading

@diracdeltas I think /null is the result of blocking ads and trackers.
Let me explain why I'm thinking like that.

After loading vox.com with all scripts are blocked (and ads and trackers blocked is on), I enabled https://cdn.vox-cdn.com/ in the blocked list.

Below is JS network capture.
As you can see, chorus-74016cc9ceb291c43eef.js is enabled but concert_ads-38fe20caec9bb2f7937e.js is failed to load and /null is added in the blocked scripts list.
screen shot 2019-01-03 at 9 46 53 am

Instead it is added to the blocked list of ads and trackers like below.
screen shot 2019-01-03 at 9 50 21 am

On the other hand, two scrips are enabled when ads and trackers are disabled.
Of course, there is no /null entry in the blocked scripts list.
screen shot 2019-01-03 at 9 58 25 am

So, I guess /null is the result by blocking of ads and trackers.

@diracdeltas
Copy link
Member

@simonhong interesting; here is why i think null/ might not be ads

  1. go to https://www.vox.com/the-goods/2019/1/3/18167072/apple-iphone-sales-down-china-upgrades-q1-2018 and notice at the bottom of the page that some images are not fully loaded when scripts are blocked
  2. open shields, open scripts menu, allow all checked scripts
  3. notice that it says 'null' is still blocked and images still don't show up if you try to allow 'null'.

screen shot 2019-01-03 at 1 46 52 pm

  1. now go to shields and change 'scripts blocked' to 'all scripts allowed'. notice that the images show up:

screen shot 2019-01-03 at 1 47 41 pm

The expected behavior is that if images show up in step 4, they should also show up in step 3 (because the result of allowing all checked scripts should be the same as turning off script blocking).

@tildelowengrimm tildelowengrimm added priority/P3 The next thing for us to work on. It'll ride the trains. and removed priority/P2 A bad problem. We might uplift this to the next planned release. labels Feb 5, 2019
@rebron rebron removed this from the 1.x Backlog milestone Feb 7, 2019
@rebron rebron removed this from the 1.x Backlog milestone Feb 7, 2019
@bsclifton
Copy link
Member Author

Closing in favor of #5346

Starting with 0.68.x, it no longer shows as null. Instead, it shows and cannot be un-blocked

@bsclifton bsclifton added the closed/duplicate Issue has already been reported label Aug 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug closed/duplicate Issue has already been reported feature/shields The overall Shields feature in Brave. needs-investigation A bug not 100% confirmed/fixed priority/P3 The next thing for us to work on. It'll ride the trains. security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@diracdeltas @tildelowengrimm @bbondy @bsclifton @rebron @simonhong