CanvasBlocker icon indicating copy to clipboard operation
CanvasBlocker copied to clipboard

Published 20 hours ago verified publisher icon kkapsner

"Imperva" Access Denied

Open privacyguy123 opened this issue 2 years ago • 6 comments

Description

Spoofing something on https://www.corsair.com/uk/en/Categories/Products/Storage/USB-Drives/flash-voyager-gtx-3-1-config/p/CMFVYGTX3C-128GB (an example result from Google) provides this Access Denied screen - widdled it down to CanvasBlocker causing.

Expected Behavior

Access to the site as normal - works with corsair.com whitelisted or CanvasBlocker completely disabled.

Current Behavior

image

Possible Solution

No idea

Steps to Reproduce (for bugs)

  1. Browse https://www.corsair.com/uk/en/Categories/Products/Storage/USB-Drives/flash-voyager-gtx-3-1-config/p/CMFVYGTX3C-128GB (directly from a Google search) and get hit with an Access Denied

Context

This could potentially affect many other sites using "Imperva"

Your Environment

  • CanvasBlocker Version used: 1.8
  • Firefox version incl. 32- or 64-bit: 64bit
  • Operating System and version (desktop or mobile): Windows 10 LTSC 2021
  • Installed addons: CanvasBlocker Ublock Origin Dark Reader I Don't Care About Cookies - yes I have tried with these other ones off

Your Settings

{
	"logLevel": 1,
	"urlSettings": [
		{
			"url": "mail.google.com",
			"protectDOMRect": false
		},
		{
			"url": "onedrive.live.com",
			"protectDOMRect": false
		},
		{
			"url": "paypal.com",
			"protectWindow": false
		}
	],
	"hiddenSettings": {},
	"expandStatus": {
		"protectNavigator": false,
		"allowWindowNameInFrames": false,
		"protectWindow": false,
		"fakeMinimalScreenSize": false
	},
	"displayHiddenSettings": true,
	"whiteList": "",
	"sessionWhiteList": "",
	"blackList": "",
	"blockMode": "fake",
	"protectedCanvasPart": "input",
	"minFakeSize": 10,
	"maxFakeSize": 1000000,
	"rng": "persistent",
	"protectedAPIFeatures": {},
	"useCanvasCache": true,
	"ignoreFrequentColors": 3,
	"minColors": 3,
	"fakeAlphaChannel": false,
	"webGLVendor": "{random vendor}",
	"webGLRenderer": "{random renderer}",
	"webGLUnmaskedVendor": "{random vendor}",
	"webGLUnmaskedRenderer": "{random renderer}",
	"persistentRndStorage": "{\"www.corsair.com\":[146,66,128,107,176,160,67,23,26,156,171,226,28,144,213,119,43,178,93,218,115,43,33,43,46,110,27,230,8,10,1,148,162,44,93,25,216,77,54,227,238,125,92,147,30,125,215,163,236,68,64,21,190,148,254,65,73,76,240,91,136,215,34,249,216,239,254,182,177,170,128,151,178,163,72,128,3,71,216,188,113,45,241,122,114,22,93,162,154,235,251,198,32,168,175,27,136,124,18,60,236,127,221,71,188,172,118,80,223,126,171,163,1,198,190,14,71,151,68,125,118,153,103,74,0,228,94,245],\"github.com\":[14,61,211,208,66,63,136,111,148,24,21,73,112,167,192,229,142,224,154,0,179,64,241,142,188,39,136,74,212,16,218,212,190,105,168,224,125,214,95,206,96,131,69,213,119,104,83,223,106,68,13,83,186,229,173,149,138,127,19,149,29,44,203,132,19,247,22,47,136,214,140,90,113,147,240,123,42,238,218,222,27,133,243,138,184,237,52,219,156,181,116,188,215,73,154,75,254,26,137,69,8,241,119,43,168,246,16,106,201,99,156,86,85,178,157,239,10,120,105,26,16,68,123,219,252,66,50,32]}",
	"persistentIncognitoRndStorage": "",
	"storePersistentRnd": true,
	"persistentRndClearIntervalValue": 0,
	"persistentRndClearIntervalUnit": "days",
	"lastPersistentRndClearing": 1651859608780,
	"sharePersistentRndBetweenDomains": false,
	"askOnlyOnce": "individual",
	"askDenyMode": "block",
	"showCanvasWhileAsking": true,
	"showNotifications": true,
	"highlightPageAction": "none",
	"highlightBrowserAction": "color",
	"displayBadge": true,
	"storeNotificationData": false,
	"storeImageForInspection": false,
	"ignoreList": "",
	"ignoredAPIs": {},
	"showCallingFile": false,
	"showCompleteCallingStack": false,
	"enableStackList": false,
	"stackList": "",
	"protectAudio": true,
	"audioFakeRate": "100",
	"audioNoiseLevel": "minimal",
	"useAudioCache": true,
	"audioUseFixedIndices": true,
	"audioFixedIndices": "2",
	"historyLengthThreshold": 2,
	"protectWindow": true,
	"allowWindowNameInFrames": true,
	"protectDOMRect": true,
	"domRectIntegerFactor": 4,
	"protectSVG": true,
	"protectTextMetrics": true,
	"blockDataURLs": false,
	"protectNavigator": true,
	"navigatorDetails": {},
	"protectScreen": true,
	"screenSize": "",
	"fakeMinimalScreenSize": true,
	"displayAdvancedSettings": true,
	"displayDescriptions": true,
	"theme": "dark",
	"dontShowOptionsOnUpdate": false,
	"disruptSessionOnUpdate": true,
	"updatePending": false,
	"isStillDefault": false,
	"storageVersion": 1
}

privacyguy123 avatar May 06 '22 18:05 privacyguy123

I think it's the screen API. Maybe it's related to #598.

kkapsner avatar May 07 '22 21:05 kkapsner

With Screen API off still showing this access denied page - the whole domain has to be whitelisted.

privacyguy123 avatar May 07 '22 23:05 privacyguy123

This is weird. Now I cannot reproduce it at all any more

kkapsner avatar May 08 '22 07:05 kkapsner

Now it's back...

kkapsner avatar May 08 '22 07:05 kkapsner

... and now it's not going away when disabling CB.

kkapsner avatar May 08 '22 07:05 kkapsner

It seems you need to go to a link directly to a product on the Corsair page to trigger it initially - I can browse Corsair.com mainpage but it comes back when I try to click a product.

Seems like it might be setting a cookie or something because I need to restart browser sometimes to reproduce.

privacyguy123 avatar May 08 '22 11:05 privacyguy123