Decode base64 parameters on strict blocked page

[user31415192]

Prerequisites

• I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
• This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• The issue is not present after disabling uBO in the browser.
• I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

• uBO is the only extension.
• uBO uses default lists and settings.
• using a new, unmodified browser profile.

Description

Let's say that you somehow accidentally clicked on an ad on Microsoft Edge's new tab page (example) and that you have ||bing.com/api/v1/mediation/tracking^$doc in your personal filters. You'll be met with this screen:

without parameters = https://www.bing.com/api/v1/mediation/tracking
adUnit = 1717091780
auId = 65fd3b6a-db21-4da6-a5a3-fb78a81da9d8
bidId = ccc89839-0c28-4ace-96c7-4c5cc8dc28ac
bidderId = 6
cmExpId = LV2
oAdUnit = 1717091780
publisherId = 17160724
rId = e5437a17-dfce-461b-9747-9c774db4af5c
rlink = https://collections.microsoftadvertising.com/bidet?useSiteUrl=false&TracingTag=TargetId_edgechrntp-river-10%2CAdUnitId_366118%2Csid_6%2CT_1%2CSG_1p_sc_guardrail_2pclick_v1%2CTG_msn_us_merge_1%2CM_en-us%2CF_sc%2CAlgo_1p_sc_gr_2pc&publisher=msn&tagId=edgechrntp-river-10&setmkt=en-us&reqId=65fd3b6a-db21-4da6-a5a3-fb78a81da9d8&
    without parameters = https://collections.microsoftadvertising.com/bidet
    useSiteUrl = false
    TracingTag = TargetId_edgechrntp-river-10,AdUnitId_366118,sid_6,T_1,SG_1p_sc_guardrail_2pclick_v1,TG_msn_us_merge_1,M_en-us,F_sc,Algo_1p_sc_gr_2pc
    publisher = msn
    tagId = edgechrntp-river-10
    setmkt = en-us
    reqId = 65fd3b6a-db21-4da6-a5a3-fb78a81da9d8
rtype = targetURL
tagId = edgechrntp-river-10
trafficGroup = zfa_hf_zretr_1
trafficSubGroup = 1c_fp_thneqenvy_2cpyvpx_i1

In this case, the value of the rlink parameter (the destination link) is not obfuscated in any way, as the advertiser is Microsoft themselves. For this one however, it's no longer the case:

without parameters = https://www.bing.com/api/v1/mediation/tracking
adUnit = 366118
auId = f7b1a575-3d9f-4478-a8f1-d332c3a7e1e2
bidId = 1
bidderId = 4
cmExpId = LV2
oAdUnit = 366118
publisherId = 17160724
rId = 608b8c9d-6b7f-4471-8d05-b017de4000f1
rlink = https://www.bing.com/aclick?ld=e8vL_XdN6HmGYtgP1ncnqUqTVUCUy30HGlTC1pdF-J99OiIETZ-51Wn4x2kPu4TmR8qCQpaqcstwAlbHmEOXQRAxOA_4ZkcA1wRgL5me6CdQWmdF78Wm72K1TfEH4G2fGANQfGsT8bJmarAmYJrw0VsArAx_T1QsqUYgFT2k35lT9HkFeUIj7INBUaSLGYYi5FKKQOFA&u=aHR0cHMlM2ElMmYlMmZtb25pdG9yLmNsaWNrY2Vhc2UuY29tJTJmdHJhY2tlciUyZnRyYWNrZXIuYXNweCUzZmlkJTNkUnBiMXZIYlc5Rkt4MWUlMjZhZHBvcyUzZCUyNmxvY3BoaXNpY2FsJTNkMTY2JTI2bG9jaW50ZXJlc3QlM2QlMjZhZGdycCUzZDEzMzI2MTA0NjgxMzMyMTglMjZrdyUzZHdoYXQlMjUyMGlzJTI1MjBpbmMlMjZudyUzZGElMjZ1cmwlM2RodHRwcyUyNTNBJTI1MkYlMjUyRnd3dy5nZXQuaW5jJTI1MkZwcm9tbyUyNTNGdXRtX3NvdXJjZSUyNTNEYmluZyUyNTI2dXRtX21lZGl1bSUyNTNEJTI1N0JtZWRpdW0lMjU3RCUyNTI2dXRtX2NhbXBhaWduJTI1M0QlMjU3QkNhbXBhaWduTmFtZSUyNTdEJTI1MjZ1dG1fdGVybSUyNTNEd2hhdCUyNTI1MjBpcyUyNTI1MjBpbmMlMjUyNnV0bV9jb250ZW50JTI1M0QlMjU3QmNvbnRlbnQlMjU3RCUyNTI2ZGV2aWNlJTI1M0RjJTI1MjZnZW9sb2MlMjUzRDE2NiUyNTI2bmV0d29yayUyNTNEYSUyNTI2dHlwZSUyNTNEc2VhcmNoJTI1MjZ1dG1fc291cmNlJTI1M0RiaW5nJTI1MjZ1dG1fbWVkaXVtJTI1M0RjcGMlMjUyNnV0bV9jYW1wYWlnbiUyNTNENjAzMjA0ODUxJTI1MjZ1dG1fY29udGVudCUyNTNEMTMzMjYxMDQ2ODEzMzIxOCUyNTI2dXRtX3Rlcm0lMjUzRHdoYXQlMjUyNTIwaXMlMjUyNTIwaW5jJTI1MjZrdyUyNTNEd2hhdCUyNTI1MjBpcyUyNTI1MjBpbmMlMjUyNmNwbiUyNTNENjAzMjA0ODUxJTI2Y3BuJTNkNjAzMjA0ODUxJTI2ZGV2aWNlJTNkYyUyNmNjcHR1cmwlM2RnZXQuaW5jJTI2cGwlM2QlMjZtc2Nsa2lkJTNkYWVjZjEzYjgzNzFiMTY5MDE0Y2I3NmI3YTRiNTg4YzE&rlid=aecf13b8371b169014cb76b7a4b588c1
    without parameters = https://www.bing.com/aclick
    ld = e8vL_XdN6HmGYtgP1ncnqUqTVUCUy30HGlTC1pdF-J99OiIETZ-51Wn4x2kPu4TmR8qCQpaqcstwAlbHmEOXQRAxOA_4ZkcA1wRgL5me6CdQWmdF78Wm72K1TfEH4G2fGANQfGsT8bJmarAmYJrw0VsArAx_T1QsqUYgFT2k35lT9HkFeUIj7INBUaSLGYYi5FKKQOFA
    u = aHR0cHMlM2ElMmYlMmZtb25pdG9yLmNsaWNrY2Vhc2UuY29tJTJmdHJhY2tlciUyZnRyYWNrZXIuYXNweCUzZmlkJTNkUnBiMXZIYlc5Rkt4MWUlMjZhZHBvcyUzZCUyNmxvY3BoaXNpY2FsJTNkMTY2JTI2bG9jaW50ZXJlc3QlM2QlMjZhZGdycCUzZDEzMzI2MTA0NjgxMzMyMTglMjZrdyUzZHdoYXQlMjUyMGlzJTI1MjBpbmMlMjZudyUzZGElMjZ1cmwlM2RodHRwcyUyNTNBJTI1MkYlMjUyRnd3dy5nZXQuaW5jJTI1MkZwcm9tbyUyNTNGdXRtX3NvdXJjZSUyNTNEYmluZyUyNTI2dXRtX21lZGl1bSUyNTNEJTI1N0JtZWRpdW0lMjU3RCUyNTI2dXRtX2NhbXBhaWduJTI1M0QlMjU3QkNhbXBhaWduTmFtZSUyNTdEJTI1MjZ1dG1fdGVybSUyNTNEd2hhdCUyNTI1MjBpcyUyNTI1MjBpbmMlMjUyNnV0bV9jb250ZW50JTI1M0QlMjU3QmNvbnRlbnQlMjU3RCUyNTI2ZGV2aWNlJTI1M0RjJTI1MjZnZW9sb2MlMjUzRDE2NiUyNTI2bmV0d29yayUyNTNEYSUyNTI2dHlwZSUyNTNEc2VhcmNoJTI1MjZ1dG1fc291cmNlJTI1M0RiaW5nJTI1MjZ1dG1fbWVkaXVtJTI1M0RjcGMlMjUyNnV0bV9jYW1wYWlnbiUyNTNENjAzMjA0ODUxJTI1MjZ1dG1fY29udGVudCUyNTNEMTMzMjYxMDQ2ODEzMzIxOCUyNTI2dXRtX3Rlcm0lMjUzRHdoYXQlMjUyNTIwaXMlMjUyNTIwaW5jJTI1MjZrdyUyNTNEd2hhdCUyNTI1MjBpcyUyNTI1MjBpbmMlMjUyNmNwbiUyNTNENjAzMjA0ODUxJTI2Y3BuJTNkNjAzMjA0ODUxJTI2ZGV2aWNlJTNkYyUyNmNjcHR1cmwlM2RnZXQuaW5jJTI2cGwlM2QlMjZtc2Nsa2lkJTNkYWVjZjEzYjgzNzFiMTY5MDE0Y2I3NmI3YTRiNTg4YzE
    rlid = aecf13b8371b169014cb76b7a4b588c1
rtype = targetURL
tagId = edgechrntp-river-13
trafficGroup = zfa_hf_zretr_1
trafficSubGroup = 1c_fp_thneqenvy1_ybpnyr

If we were to take the value of the u parameter and decode it from its base64 format, we get this:
https%3a%2f%2fmonitor.clickcease.com%2ftracker%2ftracker.aspx%3fid%3dRpb1vHbW9FKx1e%26adpos%3d%26locphisical%3d166%26locinterest%3d%26adgrp%3d1332610468133218%26kw%3dwhat%2520is%2520inc%26nw%3da%26url%3dhttps%253A%252F%252Fwww.get.inc%252Fpromo%253Futm_source%253Dbing%2526utm_medium%253D%257Bmedium%257D%2526utm_campaign%253D%257BCampaignName%257D%2526utm_term%253Dwhat%252520is%252520inc%2526utm_content%253D%257Bcontent%257D%2526device%253Dc%2526geoloc%253D166%2526network%253Da%2526type%253Dsearch%2526utm_source%253Dbing%2526utm_medium%253Dcpc%2526utm_campaign%253D603204851%2526utm_content%253D1332610468133218%2526utm_term%253Dwhat%252520is%252520inc%2526kw%253Dwhat%252520is%252520inc%2526cpn%253D603204851%26cpn%3d603204851%26device%3dc%26ccpturl%3dget.inc%26pl%3d%26msclkid%3daecf13b8371b169014cb76b7a4b588c1
After percent-decoding this URL and then reducing it down to its components, we get this:

without parameters = https://monitor.clickcease.com/tracker/tracker.aspx
id = Rpb1vHbW9FKx1e
adpos
locphisical = 166
locinterest
adgrp = 1332610468133218
kw = what is inc
nw = a
url = https://www.get.inc/promo?utm_source=bing&utm_medium={medium}&utm_campaign={CampaignName}&utm_term=what%20is%20inc&utm_content={content}&device=c&geoloc=166&network=a&type=search&utm_source=bing&utm_medium=cpc&utm_campaign=603204851&utm_content=1332610468133218&utm_term=what%20is%20inc&kw=what%20is%20inc&cpn=603204851
    without parameters = https://www.get.inc/promo
    utm_source = bing
    utm_medium = {medium}
    utm_campaign = {CampaignName}
    utm_term = what is inc
    utm_content = {content}
    device = c
    geoloc = 166
    network = a
    type = search
    utm_source = bing
    utm_medium = cpc
    utm_campaign = 603204851
    utm_content = 1332610468133218
    utm_term = what is inc
    kw = what is inc
    cpn = 603204851
cpn = 603204851
device = c
ccpturl = get.inc
pl
msclkid = aecf13b8371b169014cb76b7a4b588c1

Now, the destination link is clearly visible: it's https://www.get.inc/promo.

A specific URL where the issue occurs.

||bing.com/api/v1/mediation/tracking*

Steps to Reproduce

1. Add this filter to your filter list: ||bing.com/api/v1/mediation/tracking^$doc
2. Click on an ad on ad on Microsoft Edge's new tab page whose advertiser is not Sponsored Collections.
3. Take the value of the aforementioned u parameter and decode it from its base64 format via this tool.
4. Take the now-decoded value and percent-decode it via this tool.
5. Navigate to the now-decoded URL and click on the destination link.

Expected behavior

I expect uBO to parse the link in the second example this way:

without parameters = https://www.bing.com/api/v1/mediation/tracking
adUnit = 366118
auId = f7b1a575-3d9f-4478-a8f1-d332c3a7e1e2
bidId = 1
bidderId = 4
cmExpId = LV2
oAdUnit = 366118
publisherId = 17160724
rId = 608b8c9d-6b7f-4471-8d05-b017de4000f1
rlink = https://www.bing.com/aclick?ld=e8vL_XdN6HmGYtgP1ncnqUqTVUCUy30HGlTC1pdF-J99OiIETZ-51Wn4x2kPu4TmR8qCQpaqcstwAlbHmEOXQRAxOA_4ZkcA1wRgL5me6CdQWmdF78Wm72K1TfEH4G2fGANQfGsT8bJmarAmYJrw0VsArAx_T1QsqUYgFT2k35lT9HkFeUIj7INBUaSLGYYi5FKKQOFA&u=aHR0cHMlM2ElMmYlMmZtb25pdG9yLmNsaWNrY2Vhc2UuY29tJTJmdHJhY2tlciUyZnRyYWNrZXIuYXNweCUzZmlkJTNkUnBiMXZIYlc5Rkt4MWUlMjZhZHBvcyUzZCUyNmxvY3BoaXNpY2FsJTNkMTY2JTI2bG9jaW50ZXJlc3QlM2QlMjZhZGdycCUzZDEzMzI2MTA0NjgxMzMyMTglMjZrdyUzZHdoYXQlMjUyMGlzJTI1MjBpbmMlMjZudyUzZGElMjZ1cmwlM2RodHRwcyUyNTNBJTI1MkYlMjUyRnd3dy5nZXQuaW5jJTI1MkZwcm9tbyUyNTNGdXRtX3NvdXJjZSUyNTNEYmluZyUyNTI2dXRtX21lZGl1bSUyNTNEJTI1N0JtZWRpdW0lMjU3RCUyNTI2dXRtX2NhbXBhaWduJTI1M0QlMjU3QkNhbXBhaWduTmFtZSUyNTdEJTI1MjZ1dG1fdGVybSUyNTNEd2hhdCUyNTI1MjBpcyUyNTI1MjBpbmMlMjUyNnV0bV9jb250ZW50JTI1M0QlMjU3QmNvbnRlbnQlMjU3RCUyNTI2ZGV2aWNlJTI1M0RjJTI1MjZnZW9sb2MlMjUzRDE2NiUyNTI2bmV0d29yayUyNTNEYSUyNTI2dHlwZSUyNTNEc2VhcmNoJTI1MjZ1dG1fc291cmNlJTI1M0RiaW5nJTI1MjZ1dG1fbWVkaXVtJTI1M0RjcGMlMjUyNnV0bV9jYW1wYWlnbiUyNTNENjAzMjA0ODUxJTI1MjZ1dG1fY29udGVudCUyNTNEMTMzMjYxMDQ2ODEzMzIxOCUyNTI2dXRtX3Rlcm0lMjUzRHdoYXQlMjUyNTIwaXMlMjUyNTIwaW5jJTI1MjZrdyUyNTNEd2hhdCUyNTI1MjBpcyUyNTI1MjBpbmMlMjUyNmNwbiUyNTNENjAzMjA0ODUxJTI2Y3BuJTNkNjAzMjA0ODUxJTI2ZGV2aWNlJTNkYyUyNmNjcHR1cmwlM2RnZXQuaW5jJTI2cGwlM2QlMjZtc2Nsa2lkJTNkYWVjZjEzYjgzNzFiMTY5MDE0Y2I3NmI3YTRiNTg4YzE&rlid=aecf13b8371b169014cb76b7a4b588c1
    without parameters = https://www.bing.com/aclick
    ld = e8vL_XdN6HmGYtgP1ncnqUqTVUCUy30HGlTC1pdF-J99OiIETZ-51Wn4x2kPu4TmR8qCQpaqcstwAlbHmEOXQRAxOA_4ZkcA1wRgL5me6CdQWmdF78Wm72K1TfEH4G2fGANQfGsT8bJmarAmYJrw0VsArAx_T1QsqUYgFT2k35lT9HkFeUIj7INBUaSLGYYi5FKKQOFA
    u = https://monitor.clickcease.com/tracker/tracker.aspx?id=Rpb1vHbW9FKx1e&adpos=&locphisical=166&locinterest=&adgrp=1332610468133218&kw=what is inc&nw=a&url=https://www.get.inc/promo?utm_source=bing&utm_medium={medium}&utm_campaign={CampaignName}&utm_term=what%20is%20inc&utm_content={content}&device=c&geoloc=166&network=a&type=search&utm_source=bing&utm_medium=cpc&utm_campaign=603204851&utm_content=1332610468133218&utm_term=what%20is%20inc&kw=what%20is%20inc&cpn=603204851&cpn=603204851&device=c&ccpturl=get.inc&pl=&msclkid=aecf13b8371b169014cb76b7a4b588c1
        without parameters = https://monitor.clickcease.com/tracker/tracker.aspx
        id = Rpb1vHbW9FKx1e
        adpos
        locphisical = 166
        locinterest
        adgrp = 1332610468133218
        kw = what is inc
        nw = a
        url = https://www.get.inc/promo?utm_source=bing
            without parameters = https://www.get.inc/promo
            utm_source = bing
        utm_medium = {medium}
        utm_campaign = {CampaignName}
        utm_term = what is inc
        utm_content = {content}
        device = c
        geoloc = 166
        network = a
        type = search
        utm_source = bing
        utm_medium = cpc
        utm_campaign = 603204851
        utm_content = 1332610468133218
        utm_term = what is inc
        kw = what is inc
        cpn = 603204851
        cpn = 603204851
        device = c
        ccpturl = get.inc
        pl
        msclkid = aecf13b8371b169014cb76b7a4b588c1
    rlid = aecf13b8371b169014cb76b7a4b588c1
rtype = targetURL
tagId = edgechrntp-river-13
trafficGroup = zfa_hf_zretr_1
trafficSubGroup = 1c_fp_thneqenvy1_ybpnyr

Actual behavior

Feature not yet implemented at the time of writing

uBO version

1.52.2

Browser name and version

Operating System and version

[user31415192]

Also, may users be able to toggle support for this feature on or off.

[uBlock-user]

uBlockOrigin/uAssets#18475 (comment)

[gwarser]

I have a feeling this was requested before, but cannot find.

[MasterKia]

#1784 (comment):

gorhill: Who is going to invest their time when new issues are opened with "hey, uBO is not offering the right URL" when more than one URL are found in the parsing of the parameters, or "hey, uBO is not offering any URL" when the target URL is doubly encoded, and so on?

[gwarser]

Duplicate then?

[MasterKia]

Yes, duplicate of #1784.

Also:

gorhill: AdGuard has concept of "trusted list", so I am guessing those redirect bypass filters will work only when present in a trusted list.
I will reconsider once trusted lists are a thing in uBO, and also depending on support at that point on AdGuard.

Maybe now $queryjump could be considered?

[gwarser]

But this issue is about decoding the parameter, not navigate to it.

[stephenhawk8054]

Yeah, I don't think this is related to $queryjump, this is decoding the URL at strict-block page, not auto-redirect to that URL.

[MasterKia]

I know, with trusted lists now we could have $queryjump.

But this still applies:
#2832 (comment)

[gorhill]

This was requested before, and I declined. Base64 is just one encoding, a server can set the encoding to anything, including proprietary ones, and supporting base64 would just open the door to be asked to support all sort of URL decoding. I prefer to decline.

[user31415192]

As one last comment on this thread, this can now be remedied using the new urlskip filter option:

urlskip=

• First example: ?rlink ?u
• Second example: ?rlink ?u -uricomponent ?url /(.*(?=\?))/