About inline scripts

Various discussions related to Adblock Plus development

About inline scripts

Postby Dman » Tue May 06, 2014 7:36 am

Hi there,

first of all let me say I don't know nothing about javascript, I am just a Firefox user ... with some requirements ... in this case being able to block inline scripts.

I have been googling a bit to realize this is a requirement requested long ago ... and I wasn't able to find a way to get it done ... then I kept googling ... with no luck ... ... ... yes, I didn't surrender and kept googling and reading ... ... ... and finally I think there might be a way to indirectly implement this feature.

Since I am not a programmer, I'd like to expose the how-to so somebody who really knows could discard the idea or accept it.

The general use case would be a user who needs to block inline scripts on several annoying websites ( 'thepiratebay.se' could be one of them ) .


My idea was based on several texts from https://developer.mozilla.org/en-US/doc ... ity_Policy and sibblings. Here some of them relevant :


"A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes)."

"A policy needs to include a default-src or script-src directive in order for CSP to restrict inline scripts from running, as well as blocking the use of eval()."

"When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively."

"Enabling CSP is as easy as configuring your web server to return the Content-Security-Policy HTTP header."



So the idea would be to someway include "Content-Security-Policy: default-src *" on the HTTP header responses from the annoying websites.

The CSP directive "default-src *" shouldn't block anything , but using CSP should implicitly block inline scripts.


One problem would be how to modify HTTP header responses from the annoying websites, but on an unrelated topic I could read "I briefly considered manipulating a response from Stack Overflow to include the necessary header." from https://palant.de/2014/03/30/enforcing- ... n-websites ... so I assumed that was something that might be achieved.



Now ... it's too late, maybe I read too much and I am probably wrong, but I just needed to make sure.



So ... what do you think ?



Thank you !!!




PS .- "Content-Security-Policy: script-src * 'unsafe-eval'" might be more correct than "Content-Security-Policy: default-src *" ... but that's in case I am not completely wrong which I don't know yet.
Dman
 
Posts: 2
Joined: Tue May 06, 2014 6:49 am

Re: About inline scripts

Postby Gingerbread Man » Tue May 06, 2014 8:57 am

Hello,

Wladimir previously investigated the possibility of blocking inline scripts, but it wasn't doable (you can do this with a specialized add-on like NoScript).
viewtopic.php?t=5977

It would be great if enough has changed that this can be re-evaluated. Moving to Future Development for consideration. Also filed
https://issues.adblockplus.org/ticket/429
User avatar
Gingerbread Man
 
Posts: 1339
Joined: Fri Aug 12, 2011 5:28 am

Re: About inline scripts

Postby Dman » Tue May 06, 2014 10:14 am

Hi Gingerbread Man,


I can also disable inline scripts without running NoScript addon ... by simply disabling javascript on a domain using the less overkill YesScript extension.


What neither of both previous addons could achieve is disabling inline scripts WITHOUT disabling external scripts automatically ( http://forums.informaction.com/viewtopic.php?f=7&t=9003 ) .


I think the idea I proposed might have the potential of disabling inline scripts on chosen domains ... without interfering on external scripts, so that users could keep blocking external scripts on demand ( with ABP ) as they are already doing it ... or not blocking external scripts at all.


That's why I am asking for experienced people to consider it ... ... ... maybe Wladimir could have a look at this.


Thank you very much.
Dman
 
Posts: 2
Joined: Tue May 06, 2014 6:49 am

Re: About inline scripts

Postby Sennin » Tue May 06, 2014 3:52 pm

I *think* it is impossible to have third party scripts run if first party is blocked. For security reasons no third party script should be able to run if it hasn't been called by the first party.

But being able to filter inline scripts would be very useful on its own right! It would enable ABP to defeat most attempts to detect adblocking and cripple user experience because of it.

I think recently the ABP team has had more resources, so maybe this feature can be reconsidered even if it still is a massive amount of work ?
Sennin
 


Return to Adblock Plus development

Who is online

Users browsing this forum: No registered users and 4 guests