$inline-script does not work (<script src="data:text/javascript;base64,...)
mtxadmin opened this issue · 3 comments
Prerequisites
- I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
- This is NOT a YouTube, Facebook or Twitch report. These sites MUST be reported by clicking their respective links.
- This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
- I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
- The issue is not present after disabling uBO in the browser.
- I checked the documentation to understand that the issue I am reporting is not normal behavior.
I tried to reproduce the issue when...
- uBO is the only extension.
- uBO uses default lists and settings.
- using a new, unmodified browser profile.
Description
It turns out than $inline-script construction cannot block inline scripts that added through <script src="data:text/javascript,[BASE64 script]">
A specific URL where the issue occurs.
https://carservic.ru/ - any URL on it (a Russian site, but it does not matter)
Steps to Reproduce
- Add anti-script local rules to uBO:
carservic.ru$inline-script
carservic.ru$script - Open any url on https://carservic.ru/
- Select some text on the page
- Paste text from clipboard to a text editor. It will be "Источник:[URL]" ("source" in Russian) promo suffix.
Expected behavior
JS scripts from the site are not running and not interfere with copypasting
Actual behavior
some JS scripts are running and adding "Source:" ad suffixes when user copies text from the page
uBO version
1.56.0
Browser name and version
Tested on Mozilla and Opera
Operating System and version
Windows
Some stackoverflow:
https://stackoverflow.com/questions/55115912/how-does-the-data-attribute-in-the-attribute-src-of-script-tag-work
https://stackoverflow.com/questions/41394983/how-to-defer-inline-javascript (maybe it is defer effects)
https://stackoverflow.com/questions/383405/embed-javascript-as-base64
The CSP used for inline-script
does not exclude data:
, I can't remember why.
Until I make a decision, you can use something like:
||carservic.ru^$csp=script-src 'self' *