Surrogate script needed for DoubleClick

General discussion about the NoScript extension for Firefox
User avatar
SeanM
Junior Member
Posts: 44
Joined: Fri Jul 24, 2009 1:42 pm
Location: Upstate, New York USA
Contact:

Surrogate script needed for DoubleClick

Post by SeanM » Fri Dec 11, 2009 3:12 am

After clicking a link on the "IMDB.com" home page, the following page was presented:

IMDb Video: Alice in Wonderland -- Teaser Trailer

Not surprisingly, the video did not play. Right-click on the NS icon showed the usual suspects, including "media-imdb.com". After (temporarily) allowing "media-imdb.com", the video still does not play. ABP revealed a previously unpresented:

http://ad.doubleclick.net/adj/imdb2.con ... 169/player

as a "whitelisted" script (to ABP), and, of course, a blocked domain ("doubleclick.net") in NS.

If I understand this rightly, the desired package ("imdb2.consumer.video ..........") is predicated on the "doubleclick.net" script. Further, to see the video, one must allow an otherwise forbidden script source. While this case is only a (really interesting) video, the "package" could be something less innocent. After reading the material on "surrogates" (hackademix.net » Surrogate Scripts vs Google Analytics)(as for google-analytics and quantserve), it seems that this may be a case for a surrogate rule. If so, how does one create such a rule ? (I understand the first part: "noscript.surrogate.dc.sources default string *.doubleclick,net"). The next step appears to be the "replacement", and possibly "exceptions".

Is this a surrogate situation ? If so, how would one proceed ?
Last edited by Tom T. on Fri Dec 11, 2009 9:24 am, edited 1 time in total.
Reason: confirmed issue; edited title to reflect
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Is this an example needing a "Surrogate" ?

Post by Tom T. » Fri Dec 11, 2009 9:23 am

Confirmed that doubleclick is the culprit. I reproduced your result, T-Allowing everything on the planet, in both NS and RequestPolicy, and whitelisting ad-blocking. The only thing that I cannot *effectively* TA is doubleclick, because they are blocked in my Hosts file under multiple domain names. So allowing them in NS still would not allow the browser to connect there.

So I temporarily substituted a dummy Hosts file, went back to the trailer, TA Doubleclick = video plays. (Browser was sandboxed, as it always is, so not quite so worried about the DC payload. You might consider this additional defense-in-depth, if you haven't already.) I could then toggle the issue on/off by allowing/disallowing DC.

So I agree that a surrogate script seems necessary here. I've edited the thread title to reflect the confirmed need. Hope you don't mind.

Giorgio, can you provide one?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

User avatar
Giorgio Maone
Site Admin
Posts: 8771
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Is this an example needing a "Surrogate" ?

Post by Giorgio Maone » Fri Dec 11, 2009 11:05 pm

Tom T. wrote:Giorgio, can you provide one?

I'll check, but this case may be harder than usual because, rather than a script, the page may need a piece of video stream which surrogates can't cover.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Is this an example needing a "Surrogate" ?

Post by Tom T. » Sat Dec 12, 2009 1:35 am

Giorgio Maone wrote:
Tom T. wrote:Giorgio, can you provide one?

I'll check, but this case may be harder than usual because, rather than a script, the page may need a piece of video stream which surrogates can't cover.

Code: Select all

http://ad.doubleclick.net/adj/imdb2.consumer.video/imdb;tile=6;sz=320x240,640x360,8x1;p=pr;vct=sh;id=vi4240966169;vct=tr;ord=240578283283959.8?TRAILER=/video/imdb/vi4240966169/player

So, is DC trying to run its own animated or video ad in conjunction with the trailer? Like when you go to the cinema, and they show ads before showing the movie. I watched a little of the trailer and saw no other ads, but I didn't stay through to the end of the trailer. I just wanted to prove that DC was the issue. Didn't see any video ads anywhere else on the page, either.

Or is DC itself supplying the trailer -- since a movie trailer is in fact an advertisement for a movie, and DC could very well have been contracted by Disney to display the trailers, being paid per view, etc. Just curious.

@SeanM: Are you familiar with various sandboxing or virtualization solutions? They come in extra-handy in a situation like this, where you very much want to view the video but are (rightfully) concerned about having to allow (temporarily, of course) a known privacy-violator like DC. You would start with an empty sandbox, view the video, then close the browser and empty the sandbox (mine is set to empty automatically every time the browser is closed) *before* doing any more browsing. Thus, DC can't access anything else. (I don't use Fx Password Manager). You start your next session with a clean sandbox and browser -- no traces of DC or anything else.

A useful line of defense anyway, but since Giorgio says it might not be possible to create this surrogate, this is a good opportunity to consider such a tool.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
Giorgio Maone
Site Admin
Posts: 8771
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Surrogate script needed for DoubleClick

Post by Giorgio Maone » Sat Dec 12, 2009 4:59 pm

noscript.surrogate.imdb.sources

Code: Select all

@*.imdb.com/video/*

noscript.surrogate.imdb.replacement

Code: Select all

addEventListener('DOMContentLoaded',function(){ad_utils.render_ad=function(w){w.location=w.location.href.replace(/.*\bTRAILER=([^&]+).*/,'$1')}},true)


It will be included in next NoScript release, BTW.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Surrogate script needed for DoubleClick

Post by Tom T. » Sun Dec 13, 2009 10:08 am

Thanks, added to both browsers.

So far, I have not been able to play the video in either Fx 2.20 or 3.5.5.

NS 1.9.9.18

Fx 2 = disabled Adblock, TA all the page, allow *@http.imdb.com, change network.cookie etc. to allow 3rd-party cookies, allowed cookie from webtrendslive.com and even script from them.

Fx 3.5.5 = disabled RequestPolicy, no adblocking, disabled private browsing, allowed 3rd-party cookies, allowed cookie from webtrendslive.com, TA all the page, allow the imdb objects, etc.

Both: used dummy Hosts again with no entries other than localhost. Double-checked by visiting DoubleClick directly. = successful.
Both: Set RefControl to "normal" for imdb.com; cookies from IMDb already allowed.

Scripting from DoubleClick still Untrusted, so the surrogate should run, correct? The successful previous test allowed the actual DoubleClick script, which we're trying to avoid.

Any ideas what else I might be missing?
Last edited by Tom T. on Sun Dec 13, 2009 10:12 am, edited 1 time in total.
Reason: add refcontrol
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Surrogate script needed for DoubleClick

Post by al_9x » Sun Dec 13, 2009 12:17 pm

Tom T. wrote:So far, I have not been able to play the video in either Fx 2.20 or 3.5.5.

same here, new 3.5.5 profile
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
Giorgio Maone
Site Admin
Posts: 8771
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Surrogate script needed for DoubleClick

Post by Giorgio Maone » Sun Dec 13, 2009 4:19 pm

Sorry, there was a typo in the replacement code (a double backslash which should have been single).
Fixed above, please copy&paste again.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

User avatar
SeanM
Junior Member
Posts: 44
Joined: Fri Jul 24, 2009 1:42 pm
Location: Upstate, New York USA
Contact:

Re: Surrogate script needed for DoubleClick

Post by SeanM » Sun Dec 13, 2009 5:23 pm

Revised surrogate works on 3.6.4 (beta). Gracie. Will this be a prototype for only the IMDB, or a broader surrogate for DC ?

(I had attempted the previous version on 12 Dec, without success (TA of "doubleclick.net" was still required then). Same problem was experienced on 3.5.1).

@Tom T. : I tested this first on (a newly installed) Sandboxie. 8-) 8-) Still playing with it, and making a list of things NOT to do in the sandbox. One is XMarks & bookmarks.

@Giorgio : When I clicked "Select All" on each of the entries, then copied and pasted, each entry was preceded with four (4) spaces (which were subsequently removed). I had not noticed this earlier.
Last edited by SeanM on Sun Dec 13, 2009 5:34 pm, edited 1 time in total.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: Surrogate script needed for DoubleClick

Post by al_9x » Sun Dec 13, 2009 5:34 pm

Giorgio,

since render_ad is called inline by the child iframe, is DOMContentLoaded guaranteed to be called first?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
Giorgio Maone
Site Admin
Posts: 8771
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Surrogate script needed for DoubleClick

Post by Giorgio Maone » Sun Dec 13, 2009 6:03 pm

al_9x wrote:since render_ad is called inline by the child iframe, is DOMContentLoaded guaranteed to be called first?

Yes it is, because the page assigns the iframe src attribute in another DOMContentLoaded handler:

Code: Select all

$(function() {
    IMDbPlayer.playerType = "frameparent";
    window.frames['video-player-container'].location.replace('/rg/TITLETRA_PREROLL///images/SF4d7a0417f99d83816f79ce6b9e1e0f0f/a/ifb/doubleclick/expand.html%23imdb2.consumer.video/imdb;tile=6;sz=320x240,640x360,8x1;p=pr;id=vi4240966169;ord=[CLIENT_SIDE_ORD]?TRAILER=/video/imdb/vi4240966169/player');
});

$(someFunction) is a shortcut for window.addEventListener("DOMContentLoaded", someFunction, false) in jQuery.

SeanM wrote:Will this be a prototype for only the IMDB, or a broader surrogate for DC ?

It's just for IMDB, because I don't know about any similar/generalizable example of Doubleclick delegation yet, and this one seems specifically crafted for IMDB trailers.
Regarding the extra leading space, it's a phpBB bug, I guess...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Surrogate script needed for DoubleClick

Post by Tom T. » Mon Dec 14, 2009 12:00 am

SeanM wrote:@Tom T. : I tested this first on (a newly installed) Sandboxie. 8-) 8-) Still playing with it, and making a list of things NOT to do in the sandbox. One is XMarks & bookmarks.

You can "drill holes" in the Sandbox to allow certain changes to be written to your permanent Fx profile. Among the ones I allow are all NS configurations, Adblock lists, bookmarks, cookie settings, etc. You just give it write permission to prefs.js file or to the Bookmarks file, etc.

And if you download a picture, video, .pdf, etc., remember that it will d/l into Sandboxie. You're prompted to recover them before the sandbox is emptied, but you can move them immediately, e. g., to your *real* Desktop vs. the sandboxed, cloned "desktop", if you wish.

Of course, we're not in the business of supporting Sandboxie or any other third-party product here, but if you can't find this quickly in their documentation, I'd be happy to help as a courtesy to an enthusiastic member and supporter of the NoScript community. :) (Disclaimer: It would be my personal opinions and experience only, not official advice sanctioned by this forum, NoScript, Giorgio Maone, informaction.com, or anyone else.)
SeanM wrote:@Giorgio : When I clicked "Select All" on each of the entries, then copied and pasted, each entry was preceded with four (4) spaces (which were subsequently removed). I had not noticed this earlier.

I don't remember experiencing this, or surely I would have noticed. I'll watch carefully as I copy the corrected code, and advise if I can confirm this.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

"Copy code" bug in PHP

Post by Tom T. » Mon Dec 14, 2009 12:31 am

SeanM wrote:@Giorgio : When I clicked "Select All" on each of the entries, then copied and pasted, each entry was preceded with four (4) spaces (which were subsequently removed). I had not noticed this earlier.

Confirmed, although solved by use of Copy Plain Text, which is my own default for most copying from the Web.

Select All > Edit > Copy = [[....addEventListener('DOMContentLoaded',function(){ad_utils.render_ad=function(w)
{w.location=w.location.href.replace(/.*\bTRAILER=([^&]+).*/,'$1')}},true)]]

(I added the double square brackets to make the WYSIWYG content and leading spaces more apparent, and the .... because the forum sw was eliminating all white space beyond a single space.))

Select All > Edit > Copy as Plain Text =
[[addEventListener('DOMContentLoaded',function(){ad_utils.render_ad=function(w)
{w.location=w.location.href.replace(/.*\bTRAILER=([^&]+).*/,'$1')}},true)]]

No leading spaces. Perhaps this should be reported to PHP?

Also, the Copy Plain Text add-on was originally compatible only with F2. The dev posts it as compatible with F2-F3.6+, but apparently, you have to do your own workaround by modifying the Install file. I didn't bother, but instead located Extended Copy Menu, which also offers the option of copying as HTML. I don't use that feature much, but no harm in having it available. Anyway, ECM installed quickly and easily on Fx 3.5.5, and does the same thing: adds an additional option in the browser Edit or Context menus to remove all formatting and copy as plain text only. *Very* handy when you want to copy headlines (like at the top of this thread), links without the linking included, etc.

The old way was to paste it into Notepad first, save, then copy/paste to the intended location. Sorry if this is slightly OT, but it *does* resolve an apparent bug in copying this code, and in all code that might be posted here for users to copy.

I'll see if I can reproduce this in Fx 3.5.5 with Extended Copy add-on.

EDIT: Confirmed in Fx 3.5.5. Same results as above, using default Copy command vs. Extended Copy Menu > Copy as Plain Text.

@ Giorgio: Is this something you can fix for our use here, or does PHP have to be notified? I imagine they should be told about it anyway, if it's inherent in their sw. You have much more clout with them than I, since you are a customer of theirs.

Will also open a thread in Metaforum duplicating this, in the hopes of attracting input from readers who might not read this specific thread. TIA.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Surrogate script needed for DoubleClick

Post by Tom T. » Mon Dec 14, 2009 12:41 am

Confirmed the video plays in F2-20, TA *only* imdb.com and media-imdb.com, then clicking the Flash placeholder. No 3rd-party cookies or scripts; even adblocking can remain in effect (this required one more "allow blocked object"); DoubleClick is still blocked by both Adblock and Hosts. The page is happy. :D

EDIT: Confirmed that on Fx 3.5.5, with NS 1.9.9.20 dev build with the new default surrogate, the video plays with DoubleClick blocked as above, with Adblock enabled, and in Private Browsing mode, with no 3rd-party anything. The only permission needed in RequestPolicy is to allow requests from imdb.com > media-imdb.com.

EDIT #2: RefControl can be run in default state, i. e., blocking referrers, in either browser. No exception required.

Thanks, Giorgio. Awesome, as usual. :)
Last edited by Tom T. on Mon Dec 14, 2009 9:28 am, edited 3 times in total.
Reason: add confirm of dev build successful in Fx 3.5.5, #2 add refcontrol
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
Giorgio Maone
Site Admin
Posts: 8771
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Surrogate script needed for DoubleClick

Post by Giorgio Maone » Mon Dec 14, 2009 8:57 am

Notice: just changed changelog credits for this RFE to include SeanM who originally hinted at it.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

Post Reply