About inline scripts

Various discussions related to Adblock Plus development
Post Reply
Posts: 2
Joined: Tue May 06, 2014 6:49 am

About inline scripts

Post by Dman »

Hi there,

first of all let me say I don't know nothing about javascript, I am just a Firefox user ... with some requirements ... in this case being able to block inline scripts.

I have been googling a bit to realize this is a requirement requested long ago ... and I wasn't able to find a way to get it done ... then I kept googling ... with no luck ... ... ... yes, I didn't surrender and kept googling and reading ... ... ... and finally I think there might be a way to indirectly implement this feature.

Since I am not a programmer, I'd like to expose the how-to so somebody who really knows could discard the idea or accept it.

The general use case would be a user who needs to block inline scripts on several annoying websites ( 'thepiratebay.se' could be one of them ) .

My idea was based on several texts from https://developer.mozilla.org/en-US/doc ... ity_Policy and sibblings. Here some of them relevant :

"A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes)."

"A policy needs to include a default-src or script-src directive in order for CSP to restrict inline scripts from running, as well as blocking the use of eval()."

"When either the script-src or the default-src directive is included, inline script and eval() are disabled unless you specify 'unsafe-inline' and 'unsafe-eval', respectively."

"Enabling CSP is as easy as configuring your web server to return the Content-Security-Policy HTTP header."

So the idea would be to someway include "Content-Security-Policy: default-src *" on the HTTP header responses from the annoying websites.

The CSP directive "default-src *" shouldn't block anything , but using CSP should implicitly block inline scripts.

One problem would be how to modify HTTP header responses from the annoying websites, but on an unrelated topic I could read "I briefly considered manipulating a response from Stack Overflow to include the necessary header." from https://palant.de/2014/03/30/enforcing- ... n-websites ... so I assumed that was something that might be achieved.

Now ... it's too late, maybe I read too much and I am probably wrong, but I just needed to make sure.

So ... what do you think ?

Thank you !!!

PS .- "Content-Security-Policy: script-src * 'unsafe-eval'" might be more correct than "Content-Security-Policy: default-src *" ... but that's in case I am not completely wrong which I don't know yet.
User avatar
Gingerbread Man
Posts: 1339
Joined: Fri Aug 12, 2011 5:28 am

Re: About inline scripts

Post by Gingerbread Man »


Wladimir previously investigated the possibility of blocking inline scripts, but it wasn't doable (you can do this with a specialized add-on like NoScript).

It would be great if enough has changed that this can be re-evaluated. Moving to Future Development for consideration. Also filed
Posts: 2
Joined: Tue May 06, 2014 6:49 am

Re: About inline scripts

Post by Dman »

Hi Gingerbread Man,

I can also disable inline scripts without running NoScript addon ... by simply disabling javascript on a domain using the less overkill YesScript extension.

What neither of both previous addons could achieve is disabling inline scripts WITHOUT disabling external scripts automatically ( http://forums.informaction.com/viewtopic.php?f=7&t=9003 ) .

I think the idea I proposed might have the potential of disabling inline scripts on chosen domains ... without interfering on external scripts, so that users could keep blocking external scripts on demand ( with ABP ) as they are already doing it ... or not blocking external scripts at all.

That's why I am asking for experienced people to consider it ... ... ... maybe Wladimir could have a look at this.

Thank you very much.

Re: About inline scripts

Post by Sennin »

I *think* it is impossible to have third party scripts run if first party is blocked. For security reasons no third party script should be able to run if it hasn't been called by the first party.

But being able to filter inline scripts would be very useful on its own right! It would enable ABP to defeat most attempts to detect adblocking and cripple user experience because of it.

I think recently the ABP team has had more resources, so maybe this feature can be reconsidered even if it still is a massive amount of work ?
Post Reply