Add heuristic and selective blocking to javascript script

[uazo]

Preliminary checklist

• I have read the README
• I have read the FAQs.
• I have searched existing issues for my feature request. This is a new issue (NOT a duplicate) and is not related to another issue.
• This is a feature request for the Cromite browser; not the website nor F-Droid nor anything else.

Is your feature request related to privacy?

Yes

Is there a patch available for this feature somewhere?

I'm working on it

Describe the solution you would like

Check whether it is possible to selectively block the execution of javascript:
please read https://arxiv.org/pdf/2302.01182.pdf

Describe alternatives you have considered

n/a

[uazo]

test with:

• https://solidtorrents.to/torrents/the-shawshank-redemption-1994-720p-avc-rus-leonard-6c661/5bcb41427da3981cefcc26b6/
• https://canyoublockit.com/advanced-adblocker-test/adblock-detector/
• https://deblocker.merkulov.design/
• https://crast.net/327724/top-10-leading-open-source-web-browsers-on-android/
• https://tecnologia.libero.it/android/
• https://www.thelocal.it/20220217/the-red-flags-to-watch-out-for-when-buying-an-old-house-in-italy
• https://www.akamai.com/it/products/mpulse-real-user-monitoring
• https://www.corriere.it/
• https://www.theguardian.com/
• https://ottprime.store/
• https://www.adpushup.com/blog/what-is-average-revenue-per-visitor/
• http://www.rockmods.net/
• https://www.elementpack.pro/demo/element/adblock-detector/
• https://freecoursesite.com/
• (KO: wrong rule block harmless https://www.detectadblock.com/clever_ads.js) https://www.detectadblock.com/
• https://dragontea.ink/novel/im-an-adventurer-musou-skill-is-plane-magic/volume-6-exploring-unexplored-regions/episode-163-the-flag-was-already-collected/
• https://cutyurls.com/Q9prUe
• https://fuckadblock.sitexw.fr/
• https://stadt-bremerhaven.de/
• https://www.aranzulla.it/

[uazo]

some updates.

I managed to do this:

• mark scripts that insert runtime <link>, <img> and <script> tags and that have urls blocked by adblock, differentiating between those that expect feedback on blocking, i.e. have the "onerror" event set, in which case I selectively block run-time the future execution of such scripts.
• mark scripts that perform fetch/XMLHttpRequest and expect feedback on adblock, i.e. have a promise with reject or are inside a try/catch or have the onerror set, blocking future execution.

the assumption, as described in the pdf, is that the scripts making blocked requests are non-functional but tracking scripts.

a test on the pages described above allows me to block anti-adblocks, for example, while keeping the page functional. furthermore, a refresh of the page makes very few non-cached requests, allowing a better understanding of whether new filters need to be added to the adblock list.

[uazo]

steps forward.

I have also added:

• hide from anti-adblock the presence of hidden elements. technically I create a new hidden css attribute, and when javascript requests the "display" value, instead of 'hidden' I send 'block'. removed, see below

it's a hack, and it might be short-lived, but for now it seems to work.

of the list above, so far no one notices adblock.
note that the aim is not so much to eliminate advertising as such, but that advertising is often linked to tracking.
moreover, it could be a first step towards my version of the privacy budget proposed by google, blocking scripts that require too much fingerprinting data.
small steps first.

[Kirshi912]

https://dragontea.ink/novel/im-an-adventurer-musou-skill-is-plane-magic/volume-6-exploring-unexplored-regions/episode-163-the-flag-was-already-collected/

[uazo]

https://dragontea.ink/novel/im-an-adventurer-musou-skill-is-plane-magic/volume-6-exploring-unexplored-regions/episode-163-the-flag-was-already-collected/

yes, the anti-blocking also works for that site (EDIT: without active cosmetic filtering)

[Universalizer]

Checking if the site connection is secure

Again and again Verifying... Cloudflare, proceeding and browsing history > just a moment many repetitions.

dragontea.ink needs to review the security of your connection before proceeding.

[uazo]

some updates.
I then understood (more or less) how the layout works in blink and the difference between logical and physical coordinates.
the real problem is that the physical ones (in pixels) are exposed in javascript, while it would have been better to expose the logical ones: I think it's a historical problem of how javascript was born, it can't be easily fixed since they are used, for example, for hittest.
but I have perhaps understood how to implement the letterbox

Therefore, the route I had thought of to falsify the display:none is not viable.
I am now trying the path indicated in https://www.shitong.me/pdfs/www19_shadowblock.pdf requires, however, that cosmetic filtering be deactivated. and by the way it is almost even better, I have noticed that the filters are not complete and that sometimes the ads are loaded but not shown, which is not what I would like: I would like the script not to be loaded at all.

[Kirshi912]

yes, the anti-blocking also works for that site (EDIT: without active cosmetic filtering)

Sorry but i don't really get for the extra note, what is active cosmetic filtering? Is it "filter list"? I don't find any filter that really works without triggering anti ad block.

[uazo]

Sorry but i don't really get for the extra note, what is active cosmetic filtering?

is that process by which html elements identified as ads are hidden from view: adblocks in fact use css selectors to inform the browser that certain elements are to be hidden.
hiding an object means not including it in the page layout, i.e. excluding it from any calculation of its dimensions, its own and those of its parent and sibling objects.
Unfortunately, there is no way to hide the application of that method from javascript except... by not applying it!

I don't find any filter that really works without triggering anti ad block.

Now I am quite certain, there is no specific way to block anti-adblocks, not least because the simplest method is also the most efficient one.

I try to explain it:

• adblock informs you that block 1. is to be hidden, so the browser removes it from the layout and its size assumes (0,0).
• the script then asks for the size of block 2 (which is not, in any way, worked on by adblock), the browser however says it is (0,0)
• if (2) block size is zero then adblock is active!
  

and can be applied to any element, considering that the developer knows what his page should look like.
therefore, cosmetic filtering contributes to adblock detection: the objective is to inhibit the execution of the detection script, but unfortunately the adblock commands have nothing predisposed, because there is no browser that gives them this potential.

[uazo]

the adblock commands have nothing predisposed, because there is no browser that gives them this potential.

I have expressed myself incorrectly.
Adblocks can block the loading of the entire script, not the loading of individual functions.

And in any case, blocking the entire script presupposes that the developer knows that the blocking has occurred, because the browser is on the side of the developer and not the user.
My goal is to not let the developer know that the blocking has occurred and to automatically inhibit the execution of scripts that contribute to the warning.
but to be really efficient, the arsenal of commands available for adblock lists would have to be increased.

[jakariyaa]

I don't know how much helpful adding this would be, But I've seen the Brave Browser on Android doing it with accuracy. They somehow manage to block 90% of anti adblockers. Don't know how they're doing it. (Used that browser for 2 years almost after Bromite)

Linking Source codes:

Brave Browser:
https://github.com/brave/brave-browser

Brave's Adblock Engine:
https://github.com/brave/adblock-rust

[uazo]

They somehow manage to block 90% of anti adblockers.

I don't know the functionality of brave's adblock, I'll have to look into it. from what I had seen, it has more support for ublock rules than adblock plus, but I hadn't seen abysmal differences. this also needs to be investigated further
Theoretically, adblock plus would have all the credentials to block anti-adblockers as well, but the appropriate rules are lacking.

the first step here is lack of cname support.

[jakariyaa]

Another thing I might add for info, recently I've started seeing frequent ads on YouTube despite the Adblocker (both new and old) being enabled. No sure if it is also related to how Adblock Plus handles ad versus uBlock Origin

[Xisrr1]

They somehow manage to block 90% of anti adblockers.

I don't know the functionality of brave's adblock, I'll have to look into it. from what I had seen, it has more support for ublock rules than adblock plus, but I hadn't seen abysmal differences. this also needs to be investigated further
Theoretically, adblock plus would have all the credentials to block anti-adblockers as well, but the appropriate rules are lacking.

the first step here is lack of cname support.

Why not just replace ABP with uBlock?

[uazo]

Why not just replace ABP with uBlock?

it's probably not clear, but what I'm aiming for here is rather to hide the adblock, whatever it is, without having to make changes to the csp or proxy on javascript calls as is normally done.
because the former is dangerous, the latter is easily traceable.

That is, I try to explain what I intend to do, if a js code provides for something like this:

function a() {
  try {
     fetch(<some url blocked>);
  }
  catch {
     blocked, ah there is an adblock!
  }
}

what I would like to do is to block the catch and deny the call to a() from then on, directly from the v8 virtual machine and therefore more difficult to track. the best still would be to annotate the variables and the scope of the runtime itself with specific signals, but I have not yet figured out how to do that, I still cannot read the v8 code properly.
the best then would be to keep a history of it and perhaps share it, so that other users would immediately block the call to a(),
but it is not simple.

what I have already written (but not published yet) works, but not always, especially if the javascript code is mixed with code that the site needs to work.

[Xisrr1]

Why not just replace ABP with uBlock?

it's probably not clear, but what I'm aiming for here is rather to hide the adblock, whatever it is, without having to make changes to the csp or proxy on javascript calls as is normally done.
because the former is dangerous, the latter is easily traceable.

That is, I try to explain what I intend to do, if a js code provides for something like this:

function a() {
  try {
     fetch(<some url blocked>);
  }
  catch {
     blocked, ah there is an adblock!
  }
}

what I would like to do is to block the catch and deny the call to a() from then on, directly from the v8 virtual machine and therefore more difficult to track. the best still would be to annotate the variables and the scope of the runtime itself with specific signals, but I have not yet figured out how to do that, I still cannot read the v8 code properly.
the best then would be to keep a history of it and perhaps share it, so that other users would immediately block the call to a(),
but it is not simple.

what I have already written (but not published yet) works, but not always, especially if the javascript code is mixed with code that the site needs to work.

I haven't really understood what you said. So basically you want to fix the websites detecting the AdBlock? That's why I have to use a different browser for now - APK mirror and some websites make me wait.

And can't you just copy some of the code of another open source chromium browser, brave for example? Maybe you're trying too hard.

[uazo]

So basically you want to fix the websites detecting the AdBlock?

yes, that's the idea. but for now it only works with trivial anti-adblocks (most of those I have seen) and maybe it will only work with those.
for me it is an opportunity to understand how v8 works.

And can't you just copy some of the code of another open source chromium browser, brave for example?

well, it's not that I don't look at what others do, and that I try not to copy if I can.

Maybe you're trying too hard.

that's the beauty of it. playing with chromium is a way of learning.

[Xisrr1]

So basically you want to fix the websites detecting the AdBlock?

yes, that's the idea. but for now it only works with trivial anti-adblocks (most of those I have seen) and maybe it will only work with those.
for me it is an opportunity to understand how v8 works.

And can't you just copy some of the code of another open source chromium browser, brave for example?

well, it's not that I don't look at what others do, and that I try not to copy if I can.

Maybe you're trying too hard.

that's the beauty of it. playing with chromium is a way of learning.

I've managed to block the anti-adblockers by manually adding all uBlock filters to ABP. It took some time though.

[uazo]

I've managed to block the anti-adblockers by manually adding all uBlock filters to ABP

interesting, I'd like to see what you used and what gets blocked.

[drogga]

@Xisrr1
Maybe you can help others by listing their titles and links for others to Copy>Paste and save them some time...
(PS: Try if you can DL from a2zapk, because I somehow doubt that it will let you and not detect that you have a ad blocker, I don't mean the other butttons for hosts available there, but from their own server)

[Xisrr1]

@Xisrr1
Maybe you can help others by listing their titles and links for others to Copy>Paste and save them some time...
(PS: Try if you can DL from a2zapk, because I somehow doubt that it will let you and not detect that you have a ad blocker, I don't mean the other butttons for hosts available there, but from their own server)

I will. I'll create a new discussion soon.

[drogga]

I guess you can use the one already created by you recently, or 1 of the other related ones, but a new one is OK as well.

[Xisrr1]

Interesting, I'd like to see what you used and what gets blocked.

uBlock filters: I've copied every single filter from https://github.com/uBlockOrigin/uAssets/tree/master/filters by opening it in view mode, copying the web page link, and adding it to Cromite.

AdGuard- Mobile ads: https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_11_Mobile/filter.txt

Online Malicious URL Blocklist: https://malware-filter.gitlab.io/malware-filter/urlhaus-filter.txt

Peter Lowe’s Ad and tracking server list: I couldn't find the .txt link :(

Lastly, Easy list, and Easy privacy from Cromite.

All these are the default filters that come with uBlock origin and that I use with Cromite now.

Note 1: It is not perfect! I have noticed on one website (devuploads), it shows one banner ad, but that's not too bad.

Note 2: Adding the base AdGuard filter will block ads better but the website will be able to recognize the AdBlock.

Note 3: Even though I've added all uBlock origin filters to Cromite, it will still score less in AdBlock test websites, though a uBlock dev told me these aren't accurate anyway.

Should I post in a discussion all the filter links?

[Xisrr1]

@Xisrr1
Maybe you can help others by listing their titles and links for others to Copy>Paste and save them some time...
(PS: Try if you can DL from a2zapk, because I somehow doubt that it will let you and not detect that you have a ad blocker, I don't mean the other butttons for hosts available there, but from their own server)

This website does detect the adblocker. Maybe post it on the uBlock subreddit.

[drogga]

"Should I post in a discussion all the filter links?"
-> Given that it still gets detected and is still ineffective (uBO is as well for some pages, some on purpose, some not, that with all the filters enabled, except the country/region ones I'm not interested in and not related to the affected pages), I think it's unnecessary.

"This website does detect the adblocker. Maybe post it on the uBlock subreddit."
-> Just as I suspected. Reporting it is unnecessary, because uBO is able to bypass the check for now.

[Xisrr1]

"Should I post in a discussion all the filter links?"
-> Given that it still gets deleted and is still ineffective (uBO is as well for some pages, some on purpose, some not, that will all the filters enabled, except the country/region ones I'm not interested in and not relatedb to the affected pages), I think it's unnecessary.

"This website does detect the adblocker. Maybe post it on the uBlock subreddit."
-> Just as I suspected. Reporting it is unnecessary, because uBO is able to bypass the check for now.

Can you give me more websites to test?

[drogga]

As of now > Nothing specific that comes to mind, especially since I mostly use Kiwi, even tho Lemur supports extensions even better and even Edge now, but I don't like their UI at all, but you can probably test with host that are provided as DL methods for apps in msm (I'm not sure I should mention the full site name here).

I fear that we are getting a bit off-topic here and those are better suited for other issue tickets, if I'm correct, I would ask uazo to not delete or hide my comments, but tell me if they are not OK being here, so I can delete them myself. Thanks in advance.

[uazo]

I have seen that the brave code has a kind of ‘pagegraph’, which records all changes made to the page.
it would be interesting to understand how it works and whether it is a brave or a chromium feature.