Ublock: Request to google-analytics.com is made, even if there is a block rule

Created on 14 Dec 2017  路  5Comments  路  Source: gorhill/uBlock

Describe the issue

I have a block rule on google analytics as seen here:
image

the log shows that the request was blocked (as it should be), but looking in the ff developer tools network console, it looks like the request went to googles servers anyway:
image

I read this and it says that requests should be blocked, so I looked at the proxy logs, and saw that the request traversed the proxy. So the request was definitely not blocked.

One or more specific URLs where the issue occurs

https://addons.mozilla.org/en-GB/firefox/search/?featured=true&type=extension

Steps for anyone to reproduce the issue

  1. go to https://addons.mozilla.org/en-GB/firefox/search/?featured=true&type=extension
  2. open the ublock origin logger on the page
  3. open wireshark/tcpdump and start a network trace
  4. refresh https://addons.mozilla.org/en-GB/firefox/search/?featured=true&type=extension
  5. look at the logger and confirm that the request to google-analytics is red - blocked
  6. look at the tcpdump/wireshark dump and observe that a request to a google ip was made

Your settings

add a block rule for
||google-analytics.com^

  • OS/version: windows 7 64bit
  • Browser/version: ff 57.0.2
  • uBlock Origin version: 1.14.20
browser bug
Source
picture S2-

Most helpful comment

For FF57+ you can set privacy.resistFingerprinting.block_mozAddonManager-> true. Now AMO is no longer privileged. All this does is ignore three domains ( and seven other developer ones if another pref if flipped). See here . Ticket for reference is 1384330 - this has been built specifically for TBB.

Now, there was some talk about AMO now being open to script injection (you would need a malicious extension already installed) via service workers, which could possibly allow silent installations (of extensions). IDK about that .. and Mozilla thought nothing of it - see 1406795

To mitigate against this you can always just remove the special permissions - for reference type resource://app/defaults/permissions into your urlbar

user_pref("permissions.manager.defaultsUrl", "");

Additionally, google analytics are used on the get more addons panel - to get around this, blank the url that is looked up, and for good measure, hide the panel

user_pref("extensions.getAddons.showPane", false); // hidden pref
user_pref("extensions.webservice.discoverURL", "");

You can also choose not to use the system extension "Activity Stream" which is the whole revamped new tab thing - that too is privileged and no doubt uses analytics

user_pref("browser.newtabpage.activity-stream.enabled", false);
user_pref("browser.library.activity-stream.enabled", false); // (FF57+)
picture Thorin-Oakenpants on 14 Dec 2017
👍5

All 5 comments

Pages from addons.mozilla.org are privileged, WebExtensions extensions are not allowed to interfere on privileged pages.

gorhill picture gorhill on 14 Dec 2017

Oh I did not know that. So mozilla can effectively disable adblock on their pages. Good to know, thanks and sorry for the spam.
Do you happen to know if this is this documented somewhere?

S2- picture S2- on 14 Dec 2017

This has been talked a lot. I can't quickly find an official documentation for now from MDN.

https://www.reddit.com/r/firefox/comments/74i3nt/why_are_connections_to_googlecom_and_gstaticcom/

gorhill picture gorhill on 14 Dec 2017

For FF57+ you can set privacy.resistFingerprinting.block_mozAddonManager-> true. Now AMO is no longer privileged. All this does is ignore three domains ( and seven other developer ones if another pref if flipped). See here . Ticket for reference is 1384330 - this has been built specifically for TBB.

Now, there was some talk about AMO now being open to script injection (you would need a malicious extension already installed) via service workers, which could possibly allow silent installations (of extensions). IDK about that .. and Mozilla thought nothing of it - see 1406795

To mitigate against this you can always just remove the special permissions - for reference type resource://app/defaults/permissions into your urlbar

user_pref("permissions.manager.defaultsUrl", "");

Additionally, google analytics are used on the get more addons panel - to get around this, blank the url that is looked up, and for good measure, hide the panel

user_pref("extensions.getAddons.showPane", false); // hidden pref
user_pref("extensions.webservice.discoverURL", "");

You can also choose not to use the system extension "Activity Stream" which is the whole revamped new tab thing - that too is privileged and no doubt uses analytics

user_pref("browser.newtabpage.activity-stream.enabled", false);
user_pref("browser.library.activity-stream.enabled", false); // (FF57+)
Thorin-Oakenpants picture Thorin-Oakenpants on 14 Dec 2017
👍5

Thank you @Thorin-Oakenpants !

S2- picture S2- on 14 Dec 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rvandermeulen picture rvandermeulen  路  4Comments
Phlipout picture Phlipout  路  3Comments
FuglyLookingGuy picture FuglyLookingGuy  路  3Comments
KonoromiHimaries picture KonoromiHimaries  路  3Comments
Gitoffthelawn picture Gitoffthelawn  路  3Comments