content-security-policy set by twitter.com causes injected scriptlets to not run

[anvakl]

Prerequisites

• I verified that this is not a filter issue
  • Filter issues MUST be reported at filter issue tracker
• This is not a support issue or a question
  • Support issues and questions are handled at /r/uBlockOrigin
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
• I tried to reproduce the issue when...
  • uBlock Origin is the only extension
  • uBlock Origin with default lists/settings
  • using a new, unmodified browser profile
• I am running the latest version of uBlock Origin
• I checked the documentation to understand that the issue I report is not a normal behavior

Description

content security policy set by twitter doesnot allow inline scripts without nonce= attribute to run.

csp set by twitter is

“script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'nonce-P+pysraZ1bM1TVgufAjzPw==' https://twitter.com”

I got that from beowser console.

A specific URL where the issue occurs

https://twitter.com/gorhill

Steps to Reproduce

1. Create a rule twitter.com##+js(addEventListener-logger.js)
2. open https://twitter.com/gorhill
3. open browser console to see log.

Expected behavior:

Scriptlet logs all event listeners

Actual behavior:

Get an error saying : Content Security Policy: The page’s settings blocked the loading of a resource at self

Palemoon displays full csp.
Firefox says it is because of script-src

Your environment

Firefox 60 ESR with uBlock1.16.21rc1
Palemoon 28.1 with uBlock-legacy1.16.4.4

Windows 8.1 x64

[uBlock-user]

Browser bug - https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

[joey04]

Question:
Would a workaround be to use a regular content script, like uBO-extra or uBO's subscriber link finder?

[uBlock-user]

Firefox does have a contentScripts API which could be used if it's possible.

[gwarser]

Duplicate of gorhill/uBlock#2823

[gorhill]

Duplicate of gorhill/uBlock#2823

Different, that other one was about redirect to data: URI causing the failure -- and this was fixed by using web-accessible resources. The one here is about inline script tags injected in the DOM.

[gwarser]

Then "see also".

[JustOff]

Since Firefox bug #1267027 is still not fixed, and @gorhill is clearly against uBO lowering CSP rules set by sites, I created a separate add-on called Scriptlet Doctor, which provides such a workaround for both Firefox current and legacy-based browsers.

By default, Scriptlet Doctor modifies CSP only for a specific list of domains that can be configured. Currently, this list is pre-filled with domains requested by RU AdList admin @dimisa-RUAdList.

Hope someone finds it useful.

[MasterKia]

uBlockOrigin/uAssets#14605 (reply in thread):

I need to investigate what can be done with Firefox, there might be a way.

@gorhill Is there a chance to reopen this issue?

[evilpie]

There is a relatively simple workaround and I am not sure if you have considered doing that @gorhill. The problem is that uBlock uses an actual inline script for injection, but Firefox only bypasses the CSP for <script> loads triggered via an URL.

The following change makes uBlock immune to the page's CSP:

+++ b/src/js/contentscript.js
@@ -468,8 +468,11 @@ vAPI.injectScriptlet = function(doc, text) {
     let script;
     try {
         script = doc.createElement('script');
-        script.appendChild(doc.createTextNode(text));
+        let blob = new Blob([decodeURIComponent(scriptlets)], {type: 'text/javascript'});
+        let url = document.URL.createObjectURL(blob);
+        script.url = url;
         (doc.head || doc.documentElement || doc).appendChild(script);
+        document.URL.revokeObjectURL(url);
     } catch (ex) {
     }
     if ( script ) {

[uBlock-user]

The following change makes uBlock immune to the page's CSP:

Immune to blob: being blocked by page's CSP ?

[evilpie]

Immune to blob: being blocked by page's CSP ?

Sure this works even with Content-Security-Policy: script-src 'none';

Edit: sandbox would probably still be problematic, but that isn't widely used.

[gorhill]

@evilpie Thanks for the suggested fix, seems to work fine in both Firefox and Chromium, will publish a new version with fix as suggested.