NoScript blocking Twitch ads

[DaveLillethun]

Below is what I wrote on the Twitch help form, but I'm not sure if you guys might be the better people to ask, so I'll ask here as well:

----------
I'm running Firefox 31.0 with the NoScript 2.6.8.36 add-on. This seems to be blocking ads on Twitch... It's not an ad blocker; I block scripts for security and privacy reasons, but this sometimes had the side effect of blocking ads on some sites. I'd actually prefer to watch the ads on Twitch so I can support the site and the streamers who I watch.

I've whitelisted the Twitch domains that seem necessary to get everything other than ads working properly. I found that if I disable the NoScript add-on completely, I can watch the ads. However, this leaves my entire web browsing experience vulnerable, so I need to find a way to let only Twitch past... I also found that if I disable only the script blocking, but not the entire add-on, then ads are still blocked. (The add-on has additional features like cross-site scription protection, something they call ClearClick, and a few other things...)

Does anyone know how I can get Twitch ads to work without eliminating my NoScript protection for all websites?
----------

I'll also add this, which I did not explain to them because I didn't know how without terminology they wouldn't understand...
I am using ABE as well, but ads are still blocked with this set of rules:

Code: Select all

# User-defined rules. Feel free to experiment here.

Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny

Site .2mdn.net
Deny

Site .btstatic.com
Deny

Site *
Accept

...and then some other stuff that shouldn't be run because "Site *" should catch everything. (The reaons the list doesn't stop here is because the "Site *" was only added here for testing purposes... since it catches everything, I figured I could leave my "normal" rules intact while bypassing them during my test.)

Thanks!

[Thrawn]

What ad domains does Twitch use? If it's any of the ones specified in your ABE rules, then obviously they're toast.

[barbaz]

Site *
Accept

Should really be "Site ^.*" or "Site ALL"

Do you see any Forbidden or Untrusted sites in your NS menu when you're on the Twitch site?
If you check the Browser Console (Ctrl-Shift-J) after you _should_ see Twitch ads but don't, is there any message from ABE?
Any NoScript related messages at all in the Browser Console when Twitch ads don't display?
(please post all those console messages here wrapped in code tags)

[DaveLillethun]

It'll take a little time for me to fully investigate what happens when an ad loads since I can't control when ads run...

But when a stream page loads in general, ABE blocks DoubleClick and Quantserve.
My untrusted scripts that come up are: doubleclick.net, quantserve.com, facebook.net (note: .net not .com), google-analytics.com, scorecardresearch.com, and petametrics.com

AFAIK, all of the above are tracking and analytics domains, and not ones that actually play ads... but correct me if you know otherwise.

I'll post any additional blockages I notice when ads play as soon as I am able to debug an ad...

[barbaz]

when a stream page loads in general, ABE blocks DoubleClick and Quantserve.
My untrusted scripts that come up are: doubleclick.net, quantserve.com, facebook.net (note: .net not .com), google-analytics.com, scorecardresearch.com, and petametrics.com

AFAIK, all of the above are tracking and analytics domains, and not ones that actually play ads... but correct me if you know otherwise.

OK, there's your problem. Doubleclick is actually both an advertiser and a tracker...
So given that, what do you want to do?

[DaveLillethun]

I finally got to debug an actual ad, and I think you might be right that it's because I'm blocking DoubleClick...

DoubleClick is one of the most pervasive and creepy trackers... So how can I allow it to play ads, while stopping it from tracking me?
I'll play with a few things (one idea is setting ABE to Anonymous instead of Deny) and see what happens... but if anyone has any good suggestions for how I can preserve my privacy while still viewing ads, please let me know!


Details
----------

It blocked scripts from (taken from the "Recently Blocked Scripts" list):

pubads.g.doubleclick.net

And the ABE log reports:

[ABE] <.doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com> Deny on {GET http://b.scorecardresearch.com/crossdomain.xml <<< - 12}
USER rule:
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny
[ABE] <.doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com> Deny on {GET http://pubads.g.doubleclick.net/crossdomain.xml <<< - 12}
USER rule:
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny
[ABE] <.doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com> Deny on {GET http://b.scorecardresearch.com/crossdomain.xml <<< - 12}
USER rule:
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny
[ABE] <.doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com> Deny on {GET http://pubads.g.doubleclick.net/crossdomain.xml <<< - 12}
USER rule:
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny
[ABE] <.doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com> Deny on {GET http://b.scorecardresearch.com/crossdomain.xml <<< - 12}
USER rule:
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny
[ABE] <.doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com> Deny on {GET http://pubads.g.doubleclick.net/crossdomain.xml <<< - 12}
USER rule:
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny
[ABE] <.doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com> Deny on {GET http://b.scorecardresearch.com/crossdomain.xml <<< - 12}
USER rule:
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny
[ABE] <.doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com> Deny on {GET http://pubads.g.doubleclick.net/crossdomain.xml <<< - 12}
USER rule:
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny

with my slightly modified ABE rules, which are:

Code: Select all

# User-defined rules. Feel free to experiment here.

Site .2mdn.net .mixpanel.com .mxpnl.com
Accept
Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny

Site .btstatic.com
Deny

Site ALL
Accept

[barbaz]

I finally got to debug an actual ad, and I think you might be right that it's because I'm blocking DoubleClick...

DoubleClick is one of the most pervasive and creepy trackers... So how can I allow it to play ads, while stopping it from tracking me?
I'll play with a few things (one idea is setting ABE to Anonymous instead of Deny) and see what happens... but if anyone has any good suggestions for how I can preserve my privacy while still viewing ads, please let me know!

Whatever you do, make sure to only allow doubleclick.net from Twitch:

Code: Select all

Site .doubleclick.net
Accept from [twitch]
Deny

Unfortunately your console messages don't say what site is actually requesting Doubleclick, so you'll need to figure that out and replace "[twitch]" with the actual site(s) originating the requests to doubleclick.

[DaveLillethun]

Here's what I did with ABE that seems to work...

Code: Select all

Site pubads.g.doubleclick.net ad.doubleclick.net .2mdn.net .googleadservices.com
Anon

Site .doubleclick.net .quantserve.com .scorecardresearch.com .facebook.net .google-analytics.com .conviva.com .stripe.com .chartbeat.com
Deny

Site .btstatic.com
Deny

And scripts from all the sites in the Anon section are still set on default-deny; I didn't need to allow scripts for ads to play.

I'm cuious how much Anon really stops tracking, though. It should prevent them from tracking me using cookies, I think, but there are other ways they may identify me as I go from site to site... So I'm not sure it's 100%

I'm going to work on tightening it down and see what the minimal rule I can get away with that still lets me see the ads. Two ideas are 1) of the four domains in the Anon rule, see which ones are really necessary for ads to play - I might not need them all, and 2) maybe change "Anon" to "Anon from .twitch.tv" to limit loading those domains to Twitch - that will constrain their "tracking" to only the sites I explicitly name (for now, only Twitch).

I'll post back here what I find, but it may take a little time to test all the different options, since as I said I sometimes have to wait hours before an ad plays on Twitch - there's no way I can induce one to play myself.

[barbaz]

I'm cuious how much Anon really stops tracking, though. It should prevent them from tracking me using cookies, I think, but there are other ways they may identify me

including but not limited to IP address, user-agent, browser signature, canvas fingerprint, geolocation, computer timezone, what content you block/hide,...
Bottom line is, the only way to block a site from tracking you is completely blocking all network traffic from your computer to the site.

Anon is intended as a defense against CSRF, where stripping cookies and certain other headers would remove your login information for a sensitive site, so that another site can't exploit the fact you're logged in a sensitive site in the same browser session.

I'm going to work on tightening it down and see what the minimal rule I can get away with that still lets me see the ads. Two ideas are 1) of the four domains in the Anon rule, see which ones are really necessary for ads to play - I might not need them all,

The first 3 are all adservers. googleadservices is a tracker, not an adserver (Google serves ads from "googlesyndication.com").

2) maybe change "Anon" to "Anon from .twitch.tv" to limit loading those domains to Twitch - that will constrain their "tracking" to only the sites I explicitly name (for now, only Twitch).

That would be a really good idea, and you'll need to also follow it with "Deny" so that those domains are blocked on other sites.