AdguardForiOS icon indicating copy to clipboard operation
AdguardForiOS copied to clipboard
verified publisher icon AdguardTeam

Scriptlets don't work on websites using Content-Security-Policy (CSP)

Open charlessuh opened this issue 1 year ago • 7 comments

Please answer the following questions for yourself before submitting an issue

  • [X] Filters were updated before reproducing an issue
  • [X] I checked the knowledge base and found no answer
  • [X] I checked to make sure that this issue has not already been filed

AdGuard version

4.5.5

Environment

  • OS: 17.5.1
  • Device: iPhone XS

Ad Blocking

No response

Privacy

No response

Social

No response

Annoyances

No response

Security

No response

Other

No response

Language-specific

No response

Advanced protection for Safari

  • [x] yes, I do

Which DNS server do you use?

DNS protection disabled

DNS protocol

DNS protection disabled

Custom DNS

No response

DNS filtering

  • [ ] yes, I do

Custom DNS filter

No response

DNS implementation

DNS protection disabled

Tunnel mode

DNS protection disabled

Low-level settings

Bootstrap server: Fallback server: Blocking mode, etc:

Issue Details

This was (partially) fixed in the Safari repo:

  • https://github.com/AdguardTeam/AdGuardForSafari/issues/917
  • https://github.com/AdguardTeam/AdGuardForSafari/commit/f102b098513a5049a5faac851c52c25102cfee3a

Expected Behavior

No response

Actual Behavior

The following code doesn't work on a website using CSP to restrict inline scripts:

https://github.com/AdguardTeam/AdguardForiOS/blob/25f8f104b1f775f3a2abc2f160db3eb40adffa07/AdguardExtension/SafariWebExtension/extension/src/pages/content/content.ts#L40-L56

Screenshots

No response

Additional Information

No response

charlessuh avatar Jul 05 '24 04:07 charlessuh

One interesting strategy I noticed Noir is using is to embed a helper script like <script id="noir-helper" class="noir noir-helper" src="safari-web-extension://E0D31760-3AB2-4B4D-B79D-58B41AF2DEFD/dist/noirhelper.js"></script>, which seems to get around CSP.

Maybe you could communicate from the content script <-> page helper script using a custom event or some other mechanism.

charlessuh avatar Jul 05 '24 05:07 charlessuh

@charlessuh Thank you for reporting! Could you please provide examples of problematic websites?

Versty avatar Jul 31 '24 11:07 Versty

@charlessuh Any updates?

Versty avatar Aug 08 '24 10:08 Versty

@charlessuh We have discussed this issue with development team. We are currently working towards this direction, will do our best to improve this behaviour in future versions.

Versty avatar Aug 22 '24 12:08 Versty

@Versty another case https://github.com/AdguardTeam/AdguardFilters/issues/205160.

zloyden avatar May 12 '25 10:05 zloyden

Probably another one - https://github.com/AdguardTeam/AdguardFilters/issues/205614 It looks like that we cannot use JS rules on facebook.com because these kind of rules are blocked by website Content Security Policy.

AdamWr avatar May 26 '25 11:05 AdamWr

Another one - https://github.com/AdguardTeam/AdguardFilters/issues/208178.

zloyden avatar Jul 01 '25 11:07 zloyden