Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

$inline-script does not work (<script src="data:text/javascript;base64,...) #3181

Open
9 tasks done
mtxadmin opened this issue Mar 24, 2024 · 3 comments
Open
9 tasks done
Labels
bug Something isn't working

Comments

@mtxadmin
Copy link

Prerequisites

  • I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
  • This is NOT a YouTube, Facebook or Twitch report. These sites MUST be reported by clicking their respective links.
  • This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
  • The issue is not present after disabling uBO in the browser.
  • I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

  • uBO is the only extension.
  • uBO uses default lists and settings.
  • using a new, unmodified browser profile.

Description

It turns out than $inline-script construction cannot block inline scripts that added through <script src="data:text/javascript,[BASE64 script]">

A specific URL where the issue occurs.

https://carservic.ru/ - any URL on it (a Russian site, but it does not matter)

Steps to Reproduce

  1. Add anti-script local rules to uBO:
    carservic.ru$inline-script
    carservic.ru$script
  2. Open any url on https://carservic.ru/
  3. Select some text on the page
  4. Paste text from clipboard to a text editor. It will be "Источник:[URL]" ("source" in Russian) promo suffix.

Expected behavior

JS scripts from the site are not running and not interfere with copypasting

Actual behavior

some JS scripts are running and adding "Source:" ad suffixes when user copies text from the page

uBO version

1.56.0

Browser name and version

Tested on Mozilla and Opera

Operating System and version

Windows

@mtxadmin
Copy link
Author

Some stackoverflow:
https://stackoverflow.com/questions/55115912/how-does-the-data-attribute-in-the-attribute-src-of-script-tag-work
https://stackoverflow.com/questions/41394983/how-to-defer-inline-javascript (maybe it is defer effects)
https://stackoverflow.com/questions/383405/embed-javascript-as-base64

@mtxadmin mtxadmin changed the title $inline-script does not work (<script src="data:text/javascript,...) $inline-script does not work (<script src="data:text/javascript;base64,...) Mar 24, 2024
@gorhill
Copy link
Member

gorhill commented Mar 24, 2024

The CSP used for inline-script does not exclude data:, I can't remember why.

Until I make a decision, you can use something like:

||carservic.ru^$csp=script-src 'self' *

@uBlock-user uBlock-user added the bug Something isn't working label Mar 25, 2024
@dimisa-RUAdList
Copy link

Fix: easylist/ruadlist@b5c8ba8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants