From websocket to webpack

[Noggie]

Site able to bypass adblock using webpack. Adblock doesn't even see those files.

Code: Select all

http://nyheter24.se/

Would be nice if this worked.

Code: Select all

webpack:///./src/detection/^$domain=nyheter24.se

They really spent some hours writing adblock detection code.

Can't hide the delayed popup message "Poor us. Disable adblocking" nag because it use random id and class.

[mapx]

where did you see that webpack ? but the message ? screenshots ?

what if you add

Code: Select all

@@||nyheter24.se^$generichide
@@||nyheter24.se/*ad

[Noggie]

> where did you see that webpack ? but the message ? screenshots ?

https://postimg.org/image/z62k3z3m5/

https://postimg.org/image/u653w0xzh/

Doesn't work. Nag still popup.

Code: Select all

@@||nyheter24.se^$generichide
@@||nyheter24.se/*ad

[mapx]

no issue for me, probbaly I need a swedish ip to reproduce it.

could you try this filter:
$websocket,domain=nyheter24.se

[Noggie]

no issue for me, probbaly I need a swedish ip to reproduce it.

I did a little test and that seems to be the case.

This didn't work. Websocket isn't used. That would have been an easy fix.

Code: Select all

$websocket,domain=nyheter24.se

[lewisje]

I have never seen the webpack: URI scheme; I just know about Webpack as a way to bundle JS for the browser.

[mapx]

I got a swedish ip (using hola) but no anti adblocking stuff. However I warned the developers about the webpack thing.

[mapx]

probably blocking

Code: Select all

||nyheter24.se/messaging.js

will fix your issue.

messaging.js is containing calls to webpack stuff
I wonder if all this stuff would be inline code ..

[mapx]

code from webpack objects:

Code: Select all

'use strict';

Object.defineProperty(exports, "__esModule", {
    value: true
});

var _once2 = require('lodash/once');

var _once3 = _interopRequireDefault(_once2);

exports["default"] = imageNetworkTest;

var _promise = require('util/promise');

var _promise2 = _interopRequireDefault(_promise);

var _test_result = require('detection/blocked_tests/test_result');

var _test_result2 = _interopRequireDefault(_test_result);

var _network_test_uri = require('config/network_test_uri');

var _network_test_uri2 = _interopRequireDefault(_network_test_uri);

var _reason_types = require('detection/blocked_tests/reason_types');

var _reason_types2 = _interopRequireDefault(_reason_types);

function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { "default": obj }; }

var IMAGE = _reason_types2["default"].tests.IMAGE,
    CANVAS = _reason_types2["default"].testTypes.CANVAS,
    NETWORK = _reason_types2["default"].testTypes.NETWORK,
    TIMEOUT = _reason_types2["default"].testTypes.TIMEOUT,
    SRC = _reason_types2["default"].testTypes.SRC;

// safari ublock modifies the src of image tags causing them to never load
// gorhill/ublock/platform/safari/vapi-client.js line 276


var UBLOCK_SRC = 'data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=';

/**
 * Some adblockers will return a 92 byte length data URI when intercepting a call.
 * A normal transparent 1x1 pixel will end up being somewhere around 60 bytes as a data URL
 */
function wasBlocked(img) {
    try {
        var canvas = document.createElement('canvas');
        canvas.width = img.width;
        canvas.height = img.height;
        var ctx = canvas.getContext('2d');
        ctx.drawImage(img, 0, 0);
        var dataURL = canvas.toDataURL('image/png');
        return dataURL.replace(/^data:image\/(png|jpg);base64,/, '').length === 92;
    } catch (e) {
        if (e.code === 18) {
            // CORS error
            return false;
        } else {
            // log this - could be network error?
            return false;
        }
    }
}

/**
 * Places an image on the page and watches network callbacks for squashing by
 * adblockers.  invokes passed in callback with a TestResult instance
 * containing the blocked status and optionally a reason
 */
function imageNetworkTest() {
    var src = arguments.length <= 0 || arguments[0] === undefined ? (0, _network_test_uri2["default"])() : arguments[0];
    var timeout = arguments.length <= 1 || arguments[1] === undefined ? 200 : arguments[1];


    var imageNetworkBlockedPromise = new _promise2["default"]();

    var img_wrapper = document.createElement('div');
    img_wrapper.style.position = 'absolute';
    img_wrapper.style.left = '-9999px';
    img_wrapper.style.right = '-9999px';
    img_wrapper.style.width = '1px';
    img_wrapper.style.height = '1px';

    var img = void 0;
    if (window.Image) {
        // ublock will modify img src attributes if they are instances of
        // Image so preferably use the Image class for testing
        img = new Image();
    } else {
        img = document.createElement('img');
    }
    img.setAttribute('height', '1');
    img.setAttribute('width', '1');
    img.src = src;

    img_wrapper.appendChild(img);

    var detectAdblock = (0, _once3["default"])(function (adblocker_detected, reason) {
        if (img_wrapper.parentElement) {
            document.body.removeChild(img_wrapper);
        }

        imageNetworkBlockedPromise.resolve(new _test_result2["default"](adblocker_detected, IMAGE, src, reason));
    });

    function testUnblockedLoad(skipCanvasTest, reason) {
        if (img.src === UBLOCK_SRC) detectAdblock(true, SRC);else if (!skipCanvasTest && wasBlocked(img)) detectAdblock(true, CANVAS);else {
            detectAdblock(false, reason);
        }
    }

    img.addEventListener('load', testUnblockedLoad.bind(null, false, NETWORK), true);

    // Here we are adding a timeout to the network request. Since adblockers
    // have to synchronously block network requests we don't have to wait for
    // the image to finish loading to know it was not blocked. However,
    // browsers do not immediately begin loading images. They will kick off the
    // loading of an image.src only once the current script finishes executing.
    // Thus, we defer the setting of our timeout, which gives the browser a
    // chance to initiate the loading of our image before we set our timeout
    // for the network request. We skip the canvas test in this case as it also
    // produces a blocked data url for loading images.
    window.setTimeout(function () {
        window.setTimeout(testUnblockedLoad.bind(null, true, TIMEOUT), timeout);
    }, 10);

    img.addEventListener('error', function () {
        detectAdblock(true, NETWORK);
    }, true);

    img.src = src;

    document.body.appendChild(img_wrapper);

    return imageNetworkBlockedPromise;
}


/*****************
 ** WEBPACK FOOTER
 ** ./src/detection/blocked_tests/image_network_test.js
 ** module id = 181
 ** module chunks = 0 1 2 3 4 5 6
 **/

[Wladimir Palant]

I'm only going to reply to this suggestion, not looking into the actual circumvention approach used by the website (people who actually write filters are way better at that than me).

Would be nice if this worked.

Code: Select all

webpack:///./src/detection/^$domain=nyheter24.se

Unfortunately, this won't work. Even if it was feasible to add some Webpack-specific logic to Adblock Plus, Webpack is merely one of approximately hundred popular solutions to combine multiple scripts into one file. And even if we added logic to decompile all of these - somebody determined to circumvent ad blockers would easily invent their new custom format that could no longer be decompiled. In fact, even with Webpack you usually cannot see the original file names any more. This isn't going to be helpful.