Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chromium First Load Complete Security Bypass #1239

Closed
8 tasks
CyberpunkIsBae opened this issue Sep 10, 2020 · 1 comment
Closed
8 tasks

Chromium First Load Complete Security Bypass #1239

CyberpunkIsBae opened this issue Sep 10, 2020 · 1 comment
Labels
duplicate This issue or pull request already exists

Comments

@CyberpunkIsBae
Copy link

CyberpunkIsBae commented Sep 10, 2020
edited by uBlock-user
Loading

Prerequisites

  • I verified that this is not a filter issue
  • This is not a support issue or a question
  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue
    • Your issue may already be reported.
  • I tried to reproduce the issue when...
    • uBlock Origin is the only extension
    • uBlock Origin with default lists/settings
    • using a new, unmodified browser profile
  • I am running the latest version of uBlock Origin
  • I checked the documentation to understand that the issue I report is not a normal behavior

Description

On Linux uBlock Origin fails to protect the Chromium browser whatsoever from malicious scripts or other page threats on first load while opening a page (in this case, my homepage). You probably have a race condition, but this is the most severe kind of bug a security plugin can have (that it simply fails to work in a specific case). Please fix this. I can imagine a scenario where someone had a bad tab open (blocked) and then the power goes out and the session restores and boom uBlock was trusted and failed to protect.

A specific URL where the issue occurs

Why did you make this section mandatory if it happens on any page? Pedantic much? I'm doing you a favor - but ok, use www.yahoo.com or whatever

Steps to Reproduce

  1. Shut down Chromium
  2. Launch Chromium with a page that clearly displays differently with javascript off, in this case, I had it as my homepage (yahoo.com)
  3. Observe that javascript is not blocked
  4. Refresh the page
  5. Ruh roh raggy

Expected behavior:

I expect you to test your code.

Actual behavior:

You didn't.

Your environment

  • uBlock Origin version: Newest
  • Browser Name and version: Chromium newest
  • Operating System and version: Linux
@uBlock-user
Copy link
Contributor

Duplicate of gorhill/uBlock#1327

https://github.com/gorhill/uBlock/wiki/Advanced-settings#suspendtabsuntilready-experimental

@uBlock-user uBlock-user added the duplicate This issue or pull request already exists label Sep 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uBlock-user @CyberpunkIsBae