Host SWF block list on Shavar service

RESOLVED FIXED

Status

()

Core
Plug-ins
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: cpeterson, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
We need to import our SWF blocklist into Shavar and publish to Firefox users.

Here is an example of the URL pattern list that we imported into Shavar for Shumway's SWF whitelist:

https://github.com/mozilla/shumway-whitelist
Do you have an example of actual entries that will be part of this list? I'd like to see what they look like (e.g. domains v. full URL of the SWFs).
(Reporter)

Comment 2

2 years ago
Tobias is building a list now. We will probably block by SWF filename or URL suffix, not by domain or full URL, because the same SWFs are host on different CDNs and sites. For example:

http://edgecast.cam4s.com/web/FontList.swf
http://nitroflare.com/../plugins/RandHashFlash/compiled/FontList.swf
https://www.emarsys.net/js/vendor/fingerprintjs2/FontList.swf
(In reply to Chris Peterson [:cpeterson] from comment #2)
> Tobias is building a list now. We will probably block by SWF filename or URL
> suffix, not by domain or full URL, because the same SWFs are host on
> different CDNs and sites.

URL suffixes or bare filenames cannot be expressed in the Safe Browsing format unfortunately.

> http://edgecast.cam4s.com/web/FontList.swf
> https://www.emarsys.net/js/vendor/fingerprintjs2/FontList.swf

These ones work since they are full URLs.

> http://nitroflare.com/../plugins/RandHashFlash/compiled/FontList.swf

What does the ".." mean here? The actual ".." directory (works fine in SB) or it's a placeholder for any directory (doesn't work in SB)?
(Reporter)

Comment 4

2 years ago
(In reply to François Marier [:francois] from comment #3)
> (In reply to Chris Peterson [:cpeterson] from comment #2)
> > Tobias is building a list now. We will probably block by SWF filename or URL
> > suffix, not by domain or full URL, because the same SWFs are host on
> > different CDNs and sites.
> 
> URL suffixes or bare filenames cannot be expressed in the Safe Browsing
> format unfortunately.

That's unfortunate, but not a big problem.

> > http://nitroflare.com/../plugins/RandHashFlash/compiled/FontList.swf
> 
> What does the ".." mean here? The actual ".." directory (works fine in SB)
> or it's a placeholder for any directory (doesn't work in SB)?

That is the literal URL with the ".." directory.
This is available in production:

$ ./get-lists.py 
mozfull-track-digest256
mozfullstaging-track-digest256
mozplugin-block-digest256
mozplugin2-block-digest256
mozpub-track-digest256
mozstd-track-digest256
mozstd-trackwhite-digest256
mozstdstaging-track-digest256
mozstdstaging-trackwhite-digest256

Chris, can we make this bug public?
Status: NEW → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(cpeterson)
Resolution: --- → FIXED
(Reporter)

Comment 6

a year ago
SGTM
Group: mozilla-employee-confidential
Flags: needinfo?(cpeterson)
You need to log in before you can comment on or make changes to this bug.