Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add surrogate-based replacement placeholders for Rumble and Google reCAPTCHA widgets #2805

Merged
merged 18 commits into from
Oct 27, 2021

Conversation

ghostwords
Copy link
Member

@ghostwords ghostwords commented Sep 27, 2021

Fixes #2739, fixes #2796 by implementing a new, surrogate script-driven widget replacement flow to support replacing more complex/dynamic widgets.

We don't (always) know the widget's element selector (because it's dynamically set by the page via a predefined config variable or widget API call). If our hardcoded selectors don't match, we fail to replace. If a widget is always initialized by calling the widget API, we might not have any hardcoded selectors at all.

To be clear, this PR doesn't add a new widget type; we dynamically generate a "type 4" (#2512) widget in the end of this new replacement flow:

  1. While filtering requests, we match and redirect a known widget script resource request to the surrogate script for that widget.
  2. Our surrogate provides (some of) the replaced widget's API to the page.
  3. The page calls that API.
  4. Our surrogate sends a message to a listener in a content script.
  5. The content script relays that message to the background page.
  6. The background page constructs a widget definition object (static definitions live in /src/data/socialwidgets.json) and sends it to the widget replacement content script.
  7. The widget replacement content script performs the replacement. This entirely leverages existing functionality.

Messages from our surrogate are not to be trusted as unlike messages from content scripts, surrogate script messages can be easily modified and/or faked by the page. The background page is responsible for validating/sanitizing incoming widget data (content scripts should be kept as simple as possible).

Follows up on #2512, where we added a new widget type (the aforementioned "type 4") that on activation reinserts the replaced element and then also runs the (previously blocked) associated JavaScript resources.

To be followed up with improved Facebook and YouTube surrogates that should let us finally remove Facebook/YouTube domains from the yellowlist (#1593).

@ghostwords ghostwords added widgets Click-to-activate placeholders for blocked but potentially useful social buttons/widgets surrogates Replacement blank/noop/dummy/neutered versions of tracking scripts used to avoid site breakages labels Sep 27, 2021
@ghostwords ghostwords force-pushed the rumble-replacement-widget branch from 27e25c4 to 7c3e885 Compare September 29, 2021 18:58
@ghostwords ghostwords force-pushed the rumble-replacement-widget branch from 7c3e885 to cf0b61d Compare September 29, 2021 20:07
@ghostwords ghostwords requested a review from bcyphers October 15, 2021 15:21
@ghostwords ghostwords changed the title Add replacement placeholder for Rumble widget Add surrogate-based replacement placeholders for Rumble and Google reCAPTCHA widgets Oct 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
surrogates Replacement blank/noop/dummy/neutered versions of tracking scripts used to avoid site breakages widgets Click-to-activate placeholders for blocked but potentially useful social buttons/widgets
Projects
None yet
1 participant