Anti-redirect scriptlet for vk.com (href-sanitizer)

[dimisa-RUAdList]

Prerequisites

• I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• The issue is not present after disabling uBO in the browser.
• I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

• uBO is the only extension.
• using a new, unmodified browser profile.

Description

The site vk.com is one of the most visited Russian sites. All external links on this site are done through a redirect.

There is an idea to create a scriptlet with a name like "anti-redirect" based on this script: https://greasyfork.org/en/scripts/395977-vk-com-del-redir/code

A specific URL where the issue occurs.

https://vk.com/amedia.online

Steps to Reproduce

undefined

Expected behavior

undefined

Actual behavior

undefined

Configuration

uBlock Origin development build 1.47.5b2

[gorhill]

Your request is the equivalent of asking uBO to deal with redirect link, something which I have declined in the past, see #1784.

Clear URLs is the right tool for this.

[dimisa-RUAdList]

The thing is, ClearURLs doesn't solve the problem on this site. The transition is still done via vk.com/away.php.

[gorhill]

If it doesn't work with ClearURLs then maybe it's best to report the issue on their repo?

[dimisa-RUAdList]

Thanks, but I thought it might be possible to solve this problem with uBO. At the moment, almost all such tasks on Russian sites are solved by the Counters filter. However, the current features of uBO do not allow me to do the same for vk.com. Maybe you still look at the script code?

[gorhill]

I prefer to decline, as explained in these similar requests:

• [Enhancement] Add option to *automatically* visit embedded URLs w/o tracker #1784
• Rewrite URL from Qwant search engine to avoid it knowing which results are clicked gorhill/uBlock#3276
• [Request] Filter URL referers (less tracking = more privacy) uBlock-LLC/uBlock#1009

Adding a scriptlet for this one particular case, beside that vk.com could change at any time (further adding burden here), it opens the door for all such requests in the future. This is best left to a dedicated extension, or even more simply, just a matter of using a user script extension.

[MasterKia]

@dimisa-RUAdList What about using that userscript in the userResourcesLocation of uBO? It needs a bit of modification.
Then you can use a filter like vk.com##+js(anti-redirect) in your Counters list.

[dimisa-RUAdList]

@MasterKia
Thank you, I have not yet given up hope of creating a solution using the default tools of uBO.

@gorhill
I carefully reviewed all the rejected cases, including my own.

I think it is possible to create a solution that will be adequate and useful for many cases, although not for all.

I propose to create a scriptlet to modify the value of the href attribute. Its only function will be to replace the original href value with its text value.

Universal. No complicated and risky redirects, no additions, absolutely transparent, using only what already exists in the original layout.

Example: https://vk.com/amedia.online

Screenshot(s)

Target: href="/away.php?to=https%3A%2F%2Famedia.online%2F&cc_key=" ~> https://amedia.online/

Solution: vk.com##+js(href-to-text, [href^="/away.php?to="])

[MasterKia]

I propose to create a scriptlet to modify the value of the href attribute. Its only function will be to replace the original href value with its text value.

Sounds similar to #2347.

[uBlock-user]

uBO has a built-in url sanitiser deployed when the document request is blocked. So add ||vk.com/away.php^$doc and uBO will sanitise the URL and offer a clean URL on the document blocked page for the users to navigate directly.

[dimisa-RUAdList]

@uBlock-user
Thank you, but no. If I add such a rule to the filters, it will only be a terrible irritant. This is not a solution. This is some kind of sophisticated way to motivate users to remove uBO.

For now, I'd rather wait for a response from Gorhill.

[uBlock-user]

This is some kind of sophisticated way to motivate users to remove uBO.

^^^ If that's how you feel about it, but Strict Blocking as a feature has been present in uBO for years and nobody removes uBO because of it, just so you know.

[dimisa-RUAdList]

@uBlock-user
Thanks for the clarification, but I'm aware of how Strict Blocking works.

However, its infrequent triggers are not at all the same as a constant trigger on every external transition on one of the most visited Russian sites.

Do not be offended, but I have no purpose to continue the discussion of the solution you proposed. I'm just waiting for a response from Gorhill.

[gorhill]

I added a href-from-text scriptlet as suggested. I did not need much convincing for this idea because I went through the same idea earlier this week with the t.co debacle -- where I envisioned that it would have been nice if uBO replaced the t.co link with the text shown to user which is the actual URL -- in which case users of uBO would have been unaffected by the debacle.

Having more than one use case for such scriptlet, especially both from high traffic sites, is enough from me to want to try this -- let's just consider it experimental at this point in case there are serious issues with using such scriptlets identified later.

So for your use case, this filter works:

vk.com##+js(href-from-text, a[href^="/away.php?to="])

For Twitter, this works:

twitter.com##+js(href-from-text, a[href^="https://t.co/"])

[MasterKia]

To fix YouTube tracking user clicks of the video description links, I tried:

youtube.com##+js(href-from-text, a[href^="https://www.youtube.com/redirect?"])

It works; but when I click on the description link, YouTube opens the previous link with the help of a click event listener.

Example:
https://www.youtube.com/watch?v=pAZWv8QQ8Co

---

Added to wiki: https://github.com/uBlockOrigin/uBlock-issues/wiki/Resources-Library#href-from-textjs-

[gorhill]

That case is Youtube warning that you are leaving the site, so it's not done silently, and because of this I would rather that we do not bypass these warnings.

[MasterKia]

@gorhill That warning only appears if the tracking parameters are removed, something which the AdGuard URL Tracking list declined to address.

So if you visit:
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbG5ERk9rZVkwbzZFV1ZqekFrMEpYVVlzZFNyQXxBQ3Jtc0tucjFxYS1zT3cyczlVWWVzTW5qV1ZmaHFZaHFiLUpFUlpQSV8zNS0yaVdKczRXdlc0Nl82OU9VUlN1bjFvNDl6SElKQk9TdDBDT25ITVRhTnpzcy1JZ3lYVDdKWVBYcGhRSWpWblMtWkM3aXFoSUtIUQ&q=https%3A%2F%2Fwww.paypal.me%2Fpaysyfr&v=pAZWv8QQ8Co

It will silently redirect you to https://www.paypal.me/paysyfr and also tracks your click, no warning is given.

But if you add these to remove the tracking parameters:

||youtube.com/redirect?$removeparam=event
||youtube.com/redirect?$removeparam=redir_token
||youtube.com/redirect?$removeparam=v

Then it will give you a warning when you visit the link.

Anyway, I don't think it's something that can be addressed easily (other than messing with that click event listener?).

[gorhill]

Oh ok, I didn't realize this. Not sure if the issue with the event handler can be fixed, this will need some research.

[dimisa-RUAdList]

@gorhill
I have found that in some cases, the link given in the text is shortened, and then the rule creates an invalid link.

The full link is contained in the title attribute.

Example: https://vk.com/amedia.online

Screenshot(s)

It looks like the scriptlet should be more flexible to be able to specify where exactly the link should come from.

Then the rules will be something like this:
vk.com##+js(href-from-text, a[href^="/away.php?to="]:not([title]), text)
vk.com##+js(href-from-text, a[href^="/away.php?to="][title], [title])

[gorhill]

Change in next dev build, however I renamed href-from-text to href-sanitizer. You can leave out the second argument to extract from text content (default).

[dimisa-RUAdList]

@gorhill
Yes, everything is great now! The vast majority of links have become direct.

[dimisa-RUAdList]

@gorhill
Sometimes a direct link is contained in an attribute on a child element.

Example: https://vk.com/vokrugsveta_vk

Screenshot(s)

Requires the ability to point to it: vk.com##+js(href-sanitizer, a[class="media_link__media"][href^="/away.php?to="], a[class="media_link__media"] > [data-link-url])

[gorhill]

Just because is missing https:// ?

Yes that's the issue (if you use ?link extra parameter). There is not way for the scriptlet to figure out whether what follows ?link= is a relative or absolute URL. To handle such case we would need a trusted scriptlet with more power.

[dimisa-RUAdList]

How to remove such a redirect? ~> https://yap.ru/forum2/topic2625123.html

Screenshot(s)

[uBlock-user]

How to remove such a redirect? ~> https://yap.ru/forum2/topic2625123.html

There's no query param to extract url from. Need to modify the scriptlet to handle such cases.

[Yuki2718]

Is it possible to add an argument to reverse the current behavior for ? and also support # i.e. instead of using text after ?, cut down text after specific symbol and use the rest of href? This will solve DandelionSprout/adfilt#163 (reply in thread) where links in "More from WIRED" are like https://www.wired.com/story/tech-layoffs-2024-amazon-google-discord-twitch/#intcid=_wired-bottom-recirc-version3_dd2b801a-5abd-47bf-b8d8-f12a1b71d254_roberta-similarity1. Or does it require totally differnt solution other than uritransform? I think uritransform is overkill for this.

[stephenhawk8054]

About twitter t.co redirect, can anyone test if this filter works?

twitter.com,~platform.twitter.com##+js(trusted-replace-xhr-response, '/,"expanded_url":"([^"]+)","url":"[^"]+"/g', ',"expanded_url":"$1","url":"$1"', /api/graphql)

[Yuki2718]

It's working.

[stephenhawk8054]

Ok, I'll test it with dev build first

[D4niloMR]

On my end the matching url is https://api.twitter.com/graphql/7xflPyRiUxGVbJd4uWmbfg/TweetResultByRestId?variables=[...]

Screenshot

[Yuki2718]

The rule stopped working.

[stephenhawk8054]

@Yuki2718 Currently I'm testing on just Firefox. Can you check again?

[Yuki2718]

I was wrong, the rule is still working for usual links. It doesn't work only for card links with images like the one in https://twitter.com/imabarizine/status/1784740979209355751.

[stephenhawk8054]

Yeah, the card is quite hard, I don't know how to address it

[stephenhawk8054]

Hmm... From this link: https://help.twitter.com/en/using-x/url-shortener , looks like t.co is also used to check malicious domains, so not sure if we should address this issue or not.

What do you guys think? Or maybe we can move it to annoyance list?

[Yuki2718]

Yeah, maybe safer to move to annoyance.

[gwarser]

Ordinary links cannot be checked for malware?

[stephenhawk8054]

Ordinary links cannot be checked for malware?

Hmm... By which method?

[gwarser]

I think this is just Twitter's excuse to track clicks.

[Yuki2718]

Yeah, I haven't ever warned when clicking bad links for badware. But who knows.

[Yuki2718]

Found an example Twitter/X warns if via t.co: https://x.com/2cheromatome/status/1508499176874815492 Not actually a dangerous link though. I'll move the rule to Annoyances.

[Yuki2718]

Links in threads.net on mobile redirect to l.threads.net when you loaded any pages, but it'll be self-fixed to actual links if you wait a minute so not sure if this should be addressed.

[stephenhawk8054]

I think it's fine to address

[stephenhawk8054]

A report regarding to Brave's debounce feature that's related to facebook's redirect URL l.facebook.com/l.php?u=: https://hackerone.com/reports/1579374

Should we still address twitter's and facebook's redirect URLs in annoyance list?

[gorhill]

server gets the request it check whether the redirect_site is in the list of there malicious(linkshim) list or not

If the URL of a clickable link is malware, why is Facebook allowing these links to be embedded on their site in the first place?