What makes you think uBlock is safe without checking relevant code sections?
Im too scared to trust it works out fine in the end to use it, been raised on the idea that interacting with an ad in any way other than task managering the pop up is dangerous. Wheres the part of the code that makes it safe and a write up of how it functions, otherwise im fine just blocking ads with regular ublock.
doodledup@lemmy.world 1 month ago
techt@lemmy.world 5 weeks ago
Here you go, from the repo:
function timeoutError(xhr) { return onVisitError.call(xhr, { type: 'timeout' }); } const url = ad && ad.targetUrl, now = markActivity(); // tell menu/vault we have a new attempt broadcast({ what: 'adAttempt', ad: ad }); if (xhr) { if (xhr.delegate.attemptedTs) { const elapsed = (now - xhr.delegate.attemptedTs); // TODO: why does this happen... a redirect? warn('[TRYING] Attempt to reuse xhr from ' + elapsed + " ms ago"); if (elapsed > visitTimeout) timeoutError(); } else { warn('[TRYING] Attempt to reuse xhr with no attemptedTs!!', xhr); } } ad.attempts++; ad.attemptedTs = now; if (!validateTarget(ad)) return deleteAd(ad); return sendXhr(ad); // return openAdInNewTab(ad); // return popUnderAd(ad) }; const sendXhr = function (ad) { // if we've parsed an obfuscated target, use it const target = ad.parsedTargetUrl || ad.targetUrl; log('[TRYING] ' + adinfo(ad), ad.targetUrl); xhr = new XMLHttpRequest(); try { xhr.open('get', target, true); xhr.withCredentials = true; xhr.delegate = ad; xhr.timeout = visitTimeout; xhr.onload = onVisitResponse; xhr.onerror = onVisitError; xhr.ontimeout = onVisitError; xhr.responseType = ''; // 'document'?; xhr.send(); } catch (e) { onVisitError.call(xhr, e); } } const onVisitResponse = function () { this.onload = this.onerror = this.ontimeout = null; markActivity(); const ad = this.delegate; if (!ad) { return err('Request received without Ad: ' + this.responseURL); } if (!ad.id) { return warn("Visit response from deleted ad! ", ad); } ad.attemptedTs = 0; // reset as visit no longer in progress const status = this.status || 200, html = this.responseText; if (failAllVisits || status < 200 || status >= 300) { return onVisitError.call(this, { status: status, responseText: html }); } try { if (!isFacebookExternal(this, ad)) { updateAdOnSuccess(this, ad, parseTitle(this)); } } catch (e) { warn(e.message); } xhr = null; // end the visit };
That’s pretty much it! Let me know if it doesn’t make sense, I can annotate it
lime@feddit.nu 1 month ago
the part that’s safe is in the browser. it’s a basic fact of how http requests work that you can just request data and then not read it.
also, “task managering the popups”? unless i’ve missed some very weird development that has literally never worked, because popup windows are part of the parent process.
medgremlin@midwest.social 1 month ago
Back on Windows 98 through XP, each individual window was a process that could be killed in Task Manager, and popups opened in a new window.
lime@feddit.nu 1 month ago
really? sounds like a weird span of systems considering they share so little code. i’d like to read on how they did that.