/clarity-*.js blocking VMware vCenter console

This is where you should report issues arising from the subscription filters.

Moderator: EasyList authors

Locked
meismyname
New Member
New Member
Posts: 1
Joined: Wed Mar 15, 2017 6:14 pm
Reputation: 0

/clarity-*.js blocking VMware vCenter console

Post by meismyname » Wed Mar 15, 2017 6:14 pm

Hey, ran into an issue with the vCenter console not loading for me and traced it back to the EasyPrivacy list.

According to the logs, there's an entry for "/clarity-*.js". Unfortunately, this is blocking the link below, and the entire console won't load with this rule active.

Code: Select all

https://(InternalServerName)/ui/resources/libs/clarity-angular1.min.js
VMware lists these libraries on their github page so you can see what I'm talking about.

Code: Select all

https://github.com/vmware/clarity
Let me know if you have any questions!

User avatar
Lanik
Site Owner
Site Owner
Posts: 1368
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 22
Location: /dev/null

Post by Lanik » Wed Mar 15, 2017 7:31 pm

EasyPrivacy is an optional subscription on most Ad Blockers.

Your options are:

A. Disable the filter list.

B. Add an exception rule:

Code: Select all

@@/clarity-*.js$domain=InternalServerName
C. Ask VMware to use a different file name.

Since the resources are all internal it would be near impossible to add an exception for something like this.
"If it ain't broke don't fix it."

User avatar
fanboy
EasyList Author
EasyList Author
Posts: 9667
Joined: Wed Sep 05, 2007 8:17 pm
Reputation: 16

Post by fanboy » Fri Mar 17, 2017 9:34 pm

Agreed. Not much can be changed to fix this

intgr
New Member
New Member
Posts: 1
Joined: Mon Mar 20, 2017 11:18 am
Reputation: 0

Post by intgr » Mon Mar 20, 2017 11:22 am

I am affected by this as well. I think it's an unnecessarily broad pattern -- are you sure it's not possible to make the pattern more specific to the resource it intends to block? What does it block in the first place?

Clarity isn't just for vCenter, it's an open source UI framework. It's like blocking Bootstrap or UIKit (although far less popular, but only because it's so new).

xrobau
New Member
New Member
Posts: 4
Joined: Tue May 02, 2017 12:37 am
Reputation: 0

Post by xrobau » Tue May 02, 2017 12:47 am

Easylist is blocking 'clarity-*.js', which is affecting, amongst other things, the VMware vCenter Console.

Clarity is an open source UI framework, and I can't find any history about WHY it was blocked in Easylist.

Searching the archives (clarity+js) provides only people saying that it IS blocked in error, but no history about people asking for it to be blocked. I can only assume that it was added in without realising the collateral damage 8-(

I don't think it's reasonable to expect an entire open source project to change its name 8-)

How do we go about getting this removed? (I don't have anything to do with vmware, btw, but I do run uBlock and use a lot of VMware, so this is really REALLY annoying for me.. sigh)

User avatar
fanboy
EasyList Author
EasyList Author
Posts: 9667
Joined: Wed Sep 05, 2007 8:17 pm
Reputation: 16

Post by fanboy » Tue May 02, 2017 10:16 am

vmware is using the name of a popular java script tracker "Touchclarity".

Code: Select all

http://lib.pgmcdn.com/clarity-1489097134569.min.js
Seen on;

Code: Select all

http://www.spin.com/2017/03/jason-chaffetz-health-care-apple-store/

xrobau
New Member
New Member
Posts: 4
Joined: Tue May 02, 2017 12:37 am
Reputation: 0

Post by xrobau » Mon May 08, 2017 12:42 am

I've opened a _ticket_ with the actual project, but I do feel it's unreasonable for them to change their project name just because someone has used its name for nefarious reasons.

I feel it sets an unpleasant precedent -- for example, what if someone creates a tracking script called 'jquery'?

If the clarity tracking script is always from pgmcdn.com, couldn't it be filtered when it originates from there?

xrobau
New Member
New Member
Posts: 4
Joined: Tue May 02, 2017 12:37 am
Reputation: 0

Post by xrobau » Tue May 09, 2017 1:46 am

VMware have given up, and are changing the name of their javascript package.

https://github.com/vmware/clarity/issue ... -299749727

smathis
New Member
New Member
Posts: 2
Joined: Tue Oct 17, 2017 9:53 pm
Reputation: 0

Post by smathis » Tue Oct 17, 2017 10:01 pm

Hi, this is Scott from the VMware Clarity team. A couple of questions...

1) If we were to change the name of our JS packages, what could we change them to that would avoid this issue in the future? Our concern is that we change the name, only to hit this same issue in the future. We can't keep changing the name of production files that applications depend on.

2) Why can't our specific files be whitelisted? I'm actually surprised that there haven't been ad devs that haven't figured out that they can name their files "bootstrap[something]" or "jquery[something]" to bypass this ad blocker. That seems like a low bar to me.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1368
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 22
Location: /dev/null

Post by Lanik » Tue Oct 17, 2017 11:27 pm

It's also a little silly that they have refused to whitelist our packages. We have three of them... 🙄
@smathis It's not that EasyList refused to whitelist your package, it's the fact that you can't whitelist something that runs on a local network with 1000s or millions of possibilities. So that leaves a removal as the only option which again is not something EasyList authors want to do. Please read the rest of this thread, I believe I've already given the technological reasons why what you're asking isn't possible.

If you want to change the name of your package I suggest you review the EasyList Github repo: https://github.com/easylist/easylist and make sure your new package would not hit any keywords on the list.

I'm not an EasyList author so I don't pretend to know what they want to do. So far they have chosen not to remove the filter.
smathis wrote:
Tue Oct 17, 2017 10:01 pm
I'm actually surprised that there haven't been ad devs that haven't figured out that they can name their files "bootstrap[something]" or "jquery[something]" to bypass this ad blocker. That seems like a low bar to me.
Actually that will have the opposite effect which is how we got here in the first place.
"If it ain't broke don't fix it."

xrobau
New Member
New Member
Posts: 4
Joined: Tue May 02, 2017 12:37 am
Reputation: 0

Post by xrobau » Wed Oct 18, 2017 5:00 am

Lanik wrote:
Tue Oct 17, 2017 11:27 pm
smathis wrote:
Tue Oct 17, 2017 10:01 pm
I'm actually surprised that there haven't been ad devs that haven't figured out that they can name their files "bootstrap[something]" or "jquery[something]" to bypass this ad blocker. That seems like a low bar to me.
Actually that will have the opposite effect which is how we got here in the first place.
No, that's exactly what has happened. A malicious entity named their adware the same as a legitimate javascript app.

EasyList blocked the adware, and because of that, blocked the legitimate app.

Now, if an ad supplier was to be slightly more annoying, they'd call their file "jquery-1.11.3.js" or something like that. If EasyList did the same thing as they did to VMware, they'd block 'jquery-*.js' and break a significant chunk of the web.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1368
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 22
Location: /dev/null

Post by Lanik » Wed Oct 18, 2017 8:56 am

xrobau wrote:
Wed Oct 18, 2017 5:00 am
No, that's exactly what has happened. A malicious entity named their adware the same as a legitimate javascript app.
I'm almost certain that's what happen otherwise you wouldn't end up on the list.
"If it ain't broke don't fix it."

smathis
New Member
New Member
Posts: 2
Joined: Tue Oct 17, 2017 9:53 pm
Reputation: 0

Post by smathis » Wed Oct 25, 2017 4:28 pm

I submitted a pull request to whitelist the two VMware Clarity JS libraries.

https://github.com/easylist/easylist/pull/683

Given that EasyList is _already_ whitelisting a domain blocked by "clarity-*", I see no harm in this addition. I restricted it to same server as well.

Locked