Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Anti-redirect scriptlet for vk.com (href-sanitizer) #2531

Closed
5 tasks done
dimisa-RUAdList opened this issue Mar 8, 2023 · 65 comments
Closed
5 tasks done

Anti-redirect scriptlet for vk.com (href-sanitizer) #2531

dimisa-RUAdList opened this issue Mar 8, 2023 · 65 comments
Labels
enhancement New feature or request fixed issue has been addressed

Comments

@dimisa-RUAdList
Copy link

Prerequisites

  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
  • The issue is not present after disabling uBO in the browser.
  • I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

  • uBO is the only extension.
  • using a new, unmodified browser profile.

Description

The site vk.com is one of the most visited Russian sites. All external links on this site are done through a redirect.

There is an idea to create a scriptlet with a name like "anti-redirect" based on this script: https://greasyfork.org/en/scripts/395977-vk-com-del-redir/code

A specific URL where the issue occurs.

https://vk.com/amedia.online

Steps to Reproduce

undefined

Expected behavior

undefined

Actual behavior

undefined

Configuration

uBlock Origin development build 1.47.5b2

@gorhill
Copy link
Member

gorhill commented Mar 8, 2023

Your request is the equivalent of asking uBO to deal with redirect link, something which I have declined in the past, see #1784.

Clear URLs is the right tool for this.

@dimisa-RUAdList
Copy link
Author

The thing is, ClearURLs doesn't solve the problem on this site. The transition is still done via vk.com/away.php.

@gorhill
Copy link
Member

gorhill commented Mar 8, 2023

If it doesn't work with ClearURLs then maybe it's best to report the issue on their repo?

@dimisa-RUAdList
Copy link
Author

Thanks, but I thought it might be possible to solve this problem with uBO. At the moment, almost all such tasks on Russian sites are solved by the Counters filter. However, the current features of uBO do not allow me to do the same for vk.com. Maybe you still look at the script code?

@gorhill
Copy link
Member

gorhill commented Mar 8, 2023

I prefer to decline, as explained in these similar requests:

Adding a scriptlet for this one particular case, beside that vk.com could change at any time (further adding burden here), it opens the door for all such requests in the future. This is best left to a dedicated extension, or even more simply, just a matter of using a user script extension.

@gorhill gorhill closed this as completed Mar 8, 2023
@gorhill gorhill added the duplicate This issue or pull request already exists label Mar 8, 2023
@MasterKia
Copy link
Member

@dimisa-RUAdList What about using that userscript in the userResourcesLocation of uBO? It needs a bit of modification.
Then you can use a filter like vk.com##+js(anti-redirect) in your Counters list.

@dimisa-RUAdList
Copy link
Author

@MasterKia
Thank you, I have not yet given up hope of creating a solution using the default tools of uBO.

@gorhill
I carefully reviewed all the rejected cases, including my own.

I think it is possible to create a solution that will be adequate and useful for many cases, although not for all.

I propose to create a scriptlet to modify the value of the href attribute. Its only function will be to replace the original href value with its text value.

Universal. No complicated and risky redirects, no additions, absolutely transparent, using only what already exists in the original layout.

Example: https://vk.com/amedia.online

Screenshot(s)

vkhref

Target: href="/away.php?to=https%3A%2F%2Famedia.online%2F&cc_key=" ~> https://amedia.online/

Solution: vk.com##+js(href-to-text, [href^="/away.php?to="])

@MasterKia
Copy link
Member

MasterKia commented Mar 9, 2023

I propose to create a scriptlet to modify the value of the href attribute. Its only function will be to replace the original href value with its text value.

Sounds similar to #2347.

@uBlock-user
Copy link
Contributor

uBO has a built-in url sanitiser deployed when the document request is blocked. So add ||vk.com/away.php^$doc and uBO will sanitise the URL and offer a clean URL on the document blocked page for the users to navigate directly.

@dimisa-RUAdList
Copy link
Author

@uBlock-user
Thank you, but no. If I add such a rule to the filters, it will only be a terrible irritant. This is not a solution. This is some kind of sophisticated way to motivate users to remove uBO.

For now, I'd rather wait for a response from Gorhill.

@uBlock-user
Copy link
Contributor

uBlock-user commented Mar 9, 2023

This is some kind of sophisticated way to motivate users to remove uBO.

^^^ If that's how you feel about it, but Strict Blocking as a feature has been present in uBO for years and nobody removes uBO because of it, just so you know.

@dimisa-RUAdList
Copy link
Author

@uBlock-user
Thanks for the clarification, but I'm aware of how Strict Blocking works.

However, its infrequent triggers are not at all the same as a constant trigger on every external transition on one of the most visited Russian sites.

Do not be offended, but I have no purpose to continue the discussion of the solution you proposed. I'm just waiting for a response from Gorhill.

gorhill added a commit to gorhill/uBlock that referenced this issue Mar 9, 2023
Related issue:
- uBlockOrigin/uBlock-issues#2531

Usage:

    example.com##+js(href-from-text, a[href^="/tracker-link?to="]

The above scriptlet will find all elements matching the selector
passed as 1st argument, and replace the `href` attribute with the
text content of the element, if all the following conditions are
met:

- The element is a link (`a`) element
- The link element has an existing `href` attribute
- The text content of the element is a valid `https`-based URL
@gorhill
Copy link
Member

gorhill commented Mar 9, 2023

I added a href-from-text scriptlet as suggested. I did not need much convincing for this idea because I went through the same idea earlier this week with the t.co debacle -- where I envisioned that it would have been nice if uBO replaced the t.co link with the text shown to user which is the actual URL -- in which case users of uBO would have been unaffected by the debacle.

Having more than one use case for such scriptlet, especially both from high traffic sites, is enough from me to want to try this -- let's just consider it experimental at this point in case there are serious issues with using such scriptlets identified later.

So for your use case, this filter works:

vk.com##+js(href-from-text, a[href^="/away.php?to="])

For Twitter, this works:

twitter.com##+js(href-from-text, a[href^="https://t.co/"])

dimisa-RUAdList pushed a commit to easylist/ruadlist that referenced this issue Mar 9, 2023
@MasterKia
Copy link
Member

MasterKia commented Mar 9, 2023

To fix YouTube tracking user clicks of the video description links, I tried:

youtube.com##+js(href-from-text, a[href^="https://www.youtube.com/redirect?"])

It works; but when I click on the description link, YouTube opens the previous link with the help of a click event listener.

Example:
https://www.youtube.com/watch?v=pAZWv8QQ8Co


Added to wiki: https://github.com/uBlockOrigin/uBlock-issues/wiki/Resources-Library#href-from-textjs-

@gorhill
Copy link
Member

gorhill commented Mar 9, 2023

That case is Youtube warning that you are leaving the site, so it's not done silently, and because of this I would rather that we do not bypass these warnings.

@MasterKia
Copy link
Member

MasterKia commented Mar 9, 2023

@gorhill That warning only appears if the tracking parameters are removed, something which the AdGuard URL Tracking list declined to address.

So if you visit:
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbG5ERk9rZVkwbzZFV1ZqekFrMEpYVVlzZFNyQXxBQ3Jtc0tucjFxYS1zT3cyczlVWWVzTW5qV1ZmaHFZaHFiLUpFUlpQSV8zNS0yaVdKczRXdlc0Nl82OU9VUlN1bjFvNDl6SElKQk9TdDBDT25ITVRhTnpzcy1JZ3lYVDdKWVBYcGhRSWpWblMtWkM3aXFoSUtIUQ&q=https%3A%2F%2Fwww.paypal.me%2Fpaysyfr&v=pAZWv8QQ8Co

It will silently redirect you to https://www.paypal.me/paysyfr and also tracks your click, no warning is given.

But if you add these to remove the tracking parameters:

||youtube.com/redirect?$removeparam=event
||youtube.com/redirect?$removeparam=redir_token
||youtube.com/redirect?$removeparam=v

Then it will give you a warning when you visit the link.

Anyway, I don't think it's something that can be addressed easily (other than messing with that click event listener?).

@gorhill
Copy link
Member

gorhill commented Mar 9, 2023

Oh ok, I didn't realize this. Not sure if the issue with the event handler can be fixed, this will need some research.

@gwarser gwarser added enhancement New feature or request and removed duplicate This issue or pull request already exists labels Mar 9, 2023
@dimisa-RUAdList
Copy link
Author

@gorhill
I have found that in some cases, the link given in the text is shortened, and then the rule creates an invalid link.

The full link is contained in the title attribute.

Example: https://vk.com/amedia.online

Screenshot(s)

hreffromtext

It looks like the scriptlet should be more flexible to be able to specify where exactly the link should come from.

Then the rules will be something like this:
vk.com##+js(href-from-text, a[href^="/away.php?to="]:not([title]), text)
vk.com##+js(href-from-text, a[href^="/away.php?to="][title], [title])

gorhill added a commit to gorhill/uBlock that referenced this issue Mar 9, 2023
Related issue:
- uBlockOrigin/uBlock-issues#2531 (comment)

Usage:
- example.com##+js(href-sanitizer, a[href^="/go?to="]:not([title]))
- example.com##+js(href-sanitizer, a[href^="/go?to="][title], [title])

The second argument is the attribute from which to extract the text
to be used for the `href` attribute of the link. If the second
attribute is absent, the text content of the element will be used.
@gorhill
Copy link
Member

gorhill commented Mar 9, 2023

Change in next dev build, however I renamed href-from-text to href-sanitizer. You can leave out the second argument to extract from text content (default).

dimisa-RUAdList pushed a commit to easylist/ruadlist that referenced this issue Mar 9, 2023
@dimisa-RUAdList
Copy link
Author

@gorhill
Yes, everything is great now! The vast majority of links have become direct.

@dimisa-RUAdList
Copy link
Author

@gorhill
Sometimes a direct link is contained in an attribute on a child element.

Example: https://vk.com/vokrugsveta_vk

Screenshot(s)

hreffromtext_child

Requires the ability to point to it: vk.com##+js(href-sanitizer, a[class="media_link__media"][href^="/away.php?to="], a[class="media_link__media"] > [data-link-url])

iam-py-test added a commit to iam-py-test/my_filters_001 that referenced this issue Mar 9, 2023
@gorhill
Copy link
Member

gorhill commented Jun 6, 2023

Just because is missing https:// ?

Yes that's the issue (if you use ?link extra parameter). There is not way for the scriptlet to figure out whether what follows ?link= is a relative or absolute URL. To handle such case we would need a trusted scriptlet with more power.

@dimisa-RUAdList
Copy link
Author

How to remove such a redirect? ~> https://yap.ru/forum2/topic2625123.html

Screenshot(s)

Yap

@uBlock-user
Copy link
Contributor

How to remove such a redirect? ~> https://yap.ru/forum2/topic2625123.html

There's no query param to extract url from. Need to modify the scriptlet to handle such cases.

@MasterKia MasterKia changed the title Anti-redirect scriptlet for vk.com Anti-redirect scriptlet for vk.com (href-sanitizer) Oct 5, 2023
@Yuki2718
Copy link

Yuki2718 commented Jan 26, 2024

Is it possible to add an argument to reverse the current behavior for ? and also support # i.e. instead of using text after ?, cut down text after specific symbol and use the rest of href? This will solve DandelionSprout/adfilt#163 (reply in thread) where links in "More from WIRED" are like https://www.wired.com/story/tech-layoffs-2024-amazon-google-discord-twitch/#intcid=_wired-bottom-recirc-version3_dd2b801a-5abd-47bf-b8d8-f12a1b71d254_roberta-similarity1. Or does it require totally differnt solution other than uritransform? I think uritransform is overkill for this.

@stephenhawk8054
Copy link
Member

About twitter t.co redirect, can anyone test if this filter works?

twitter.com,~platform.twitter.com##+js(trusted-replace-xhr-response, '/,"expanded_url":"([^"]+)","url":"[^"]+"/g', ',"expanded_url":"$1","url":"$1"', /api/graphql)

@Yuki2718
Copy link

Yuki2718 commented Apr 8, 2024

It's working.

@stephenhawk8054
Copy link
Member

Ok, I'll test it with dev build first

stephenhawk8054 added a commit to uBlockOrigin/uAssets that referenced this issue Apr 11, 2024
@D4niloMR
Copy link

On my end the matching url is https://api.twitter.com/graphql/7xflPyRiUxGVbJd4uWmbfg/TweetResultByRestId?variables=[...]

Screenshot

image

stephenhawk8054 added a commit to uBlockOrigin/uAssets that referenced this issue Apr 22, 2024
also move to testing on Firefox
@Yuki2718
Copy link

The rule stopped working.

@stephenhawk8054
Copy link
Member

@Yuki2718 Currently I'm testing on just Firefox. Can you check again?

@Yuki2718
Copy link

Yuki2718 commented Apr 29, 2024

I was wrong, the rule is still working for usual links. It doesn't work only for card links with images like the one in https://twitter.com/imabarizine/status/1784740979209355751.

@stephenhawk8054
Copy link
Member

Yeah, the card is quite hard, I don't know how to address it

stephenhawk8054 added a commit to uBlockOrigin/uAssets that referenced this issue May 14, 2024
@stephenhawk8054
Copy link
Member

Hmm... From this link: https://help.twitter.com/en/using-x/url-shortener , looks like t.co is also used to check malicious domains, so not sure if we should address this issue or not.

What do you guys think? Or maybe we can move it to annoyance list?

@Yuki2718
Copy link

Yeah, maybe safer to move to annoyance.

@gwarser
Copy link

gwarser commented May 16, 2024

Ordinary links cannot be checked for malware?

@stephenhawk8054
Copy link
Member

stephenhawk8054 commented May 16, 2024

Ordinary links cannot be checked for malware?

Hmm... By which method?

@gwarser
Copy link

gwarser commented May 17, 2024

I think this is just Twitter's excuse to track clicks.

@Yuki2718
Copy link

Yeah, I haven't ever warned when clicking bad links for badware. But who knows.

@Yuki2718
Copy link

Yuki2718 commented Jun 1, 2024

Found an example Twitter/X warns if via t.co: https://x.com/2cheromatome/status/1508499176874815492 Not actually a dangerous link though. I'll move the rule to Annoyances.

Yuki2718 added a commit to uBlockOrigin/uAssets that referenced this issue Jun 1, 2024
@Yuki2718
Copy link

Yuki2718 commented Sep 24, 2024

Links in threads.net on mobile redirect to l.threads.net when you loaded any pages, but it'll be self-fixed to actual links if you wait a minute so not sure if this should be addressed.

@stephenhawk8054
Copy link
Member

I think it's fine to address

@stephenhawk8054
Copy link
Member

A report regarding to Brave's debounce feature that's related to facebook's redirect URL l.facebook.com/l.php?u=: https://hackerone.com/reports/1579374

Should we still address twitter's and facebook's redirect URLs in annoyance list?

@gorhill
Copy link
Member

gorhill commented Oct 21, 2024

server gets the request it check whether the redirect_site is in the list of there malicious(linkshim) list or not

If the URL of a clickable link is malware, why is Facebook allowing these links to be embedded on their site in the first place?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request fixed issue has been addressed
Projects
None yet
Development

No branches or pull requests