/clarity-*.js blocking VMware vCenter console

This is where you should report issues arising from the subscription filters.
Locked
meismyname
New Member
New Member
Posts: 1
Joined: Wed Mar 15, 2017 6:14 pm

/clarity-*.js blocking VMware vCenter console

Post by meismyname »

Hey, ran into an issue with the vCenter console not loading for me and traced it back to the EasyPrivacy list.

According to the logs, there's an entry for "/clarity-*.js". Unfortunately, this is blocking the link below, and the entire console won't load with this rule active.

Code: Select all

https://(InternalServerName)/ui/resources/libs/clarity-angular1.min.js
VMware lists these libraries on their github page so you can see what I'm talking about.

Code: Select all

https://github.com/vmware/clarity
Let me know if you have any questions!
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

EasyPrivacy is an optional subscription on most Ad Blockers.

Your options are:

A. Disable the filter list.

B. Add an exception rule:

Code: Select all

@@/clarity-*.js$domain=InternalServerName
C. Ask VMware to use a different file name.

Since the resources are all internal it would be near impossible to add an exception for something like this.
"If it ain't broke don't fix it."
User avatar
fanboy
EasyList Author
EasyList Author
Posts: 12223
Joined: Wed Sep 05, 2007 8:17 pm

Post by fanboy »

Agreed. Not much can be changed to fix this
intgr
New Member
New Member
Posts: 1
Joined: Mon Mar 20, 2017 11:18 am

Post by intgr »

I am affected by this as well. I think it's an unnecessarily broad pattern -- are you sure it's not possible to make the pattern more specific to the resource it intends to block? What does it block in the first place?

Clarity isn't just for vCenter, it's an open source UI framework. It's like blocking Bootstrap or UIKit (although far less popular, but only because it's so new).
xrobau
New Member
New Member
Posts: 4
Joined: Tue May 02, 2017 12:37 am

Post by xrobau »

Easylist is blocking 'clarity-*.js', which is affecting, amongst other things, the VMware vCenter Console.

Clarity is an open source UI framework, and I can't find any history about WHY it was blocked in Easylist.

Searching the archives (clarity+js) provides only people saying that it IS blocked in error, but no history about people asking for it to be blocked. I can only assume that it was added in without realising the collateral damage 8-(

I don't think it's reasonable to expect an entire open source project to change its name 8-)

How do we go about getting this removed? (I don't have anything to do with vmware, btw, but I do run uBlock and use a lot of VMware, so this is really REALLY annoying for me.. sigh)
User avatar
fanboy
EasyList Author
EasyList Author
Posts: 12223
Joined: Wed Sep 05, 2007 8:17 pm

Post by fanboy »

vmware is using the name of a popular java script tracker "Touchclarity".

Code: Select all

http://lib.pgmcdn.com/clarity-1489097134569.min.js
Seen on;

Code: Select all

http://www.spin.com/2017/03/jason-chaffetz-health-care-apple-store/
xrobau
New Member
New Member
Posts: 4
Joined: Tue May 02, 2017 12:37 am

Post by xrobau »

I've opened a _ticket_ with the actual project, but I do feel it's unreasonable for them to change their project name just because someone has used its name for nefarious reasons.

I feel it sets an unpleasant precedent -- for example, what if someone creates a tracking script called 'jquery'?

If the clarity tracking script is always from pgmcdn.com, couldn't it be filtered when it originates from there?
xrobau
New Member
New Member
Posts: 4
Joined: Tue May 02, 2017 12:37 am

Post by xrobau »

VMware have given up, and are changing the name of their javascript package.

https://github.com/vmware/clarity/issue ... -299749727
smathis
New Member
New Member
Posts: 2
Joined: Tue Oct 17, 2017 9:53 pm

Post by smathis »

Hi, this is Scott from the VMware Clarity team. A couple of questions...

1) If we were to change the name of our JS packages, what could we change them to that would avoid this issue in the future? Our concern is that we change the name, only to hit this same issue in the future. We can't keep changing the name of production files that applications depend on.

2) Why can't our specific files be whitelisted? I'm actually surprised that there haven't been ad devs that haven't figured out that they can name their files "bootstrap[something]" or "jquery[something]" to bypass this ad blocker. That seems like a low bar to me.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

It's also a little silly that they have refused to whitelist our packages. We have three of them... 🙄
[mention]smathis[/mention] It's not that EasyList refused to whitelist your package, it's the fact that you can't whitelist something that runs on a local network with 1000s or millions of possibilities. So that leaves a removal as the only option which again is not something EasyList authors want to do. Please read the rest of this thread, I believe I've already given the technological reasons why what you're asking isn't possible.

If you want to change the name of your package I suggest you review the EasyList Github repo: https://github.com/easylist/easylist and make sure your new package would not hit any keywords on the list.

I'm not an EasyList author so I don't pretend to know what they want to do. So far they have chosen not to remove the filter.
smathis wrote: Tue Oct 17, 2017 10:01 pm I'm actually surprised that there haven't been ad devs that haven't figured out that they can name their files "bootstrap[something]" or "jquery[something]" to bypass this ad blocker. That seems like a low bar to me.
Actually that will have the opposite effect which is how we got here in the first place.
"If it ain't broke don't fix it."
xrobau
New Member
New Member
Posts: 4
Joined: Tue May 02, 2017 12:37 am

Post by xrobau »

Lanik wrote: Tue Oct 17, 2017 11:27 pm
smathis wrote: Tue Oct 17, 2017 10:01 pm I'm actually surprised that there haven't been ad devs that haven't figured out that they can name their files "bootstrap[something]" or "jquery[something]" to bypass this ad blocker. That seems like a low bar to me.
Actually that will have the opposite effect which is how we got here in the first place.
No, that's exactly what has happened. A malicious entity named their adware the same as a legitimate javascript app.

EasyList blocked the adware, and because of that, blocked the legitimate app.

Now, if an ad supplier was to be slightly more annoying, they'd call their file "jquery-1.11.3.js" or something like that. If EasyList did the same thing as they did to VMware, they'd block 'jquery-*.js' and break a significant chunk of the web.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

xrobau wrote: Wed Oct 18, 2017 5:00 am No, that's exactly what has happened. A malicious entity named their adware the same as a legitimate javascript app.
I'm almost certain that's what happen otherwise you wouldn't end up on the list.
"If it ain't broke don't fix it."
smathis
New Member
New Member
Posts: 2
Joined: Tue Oct 17, 2017 9:53 pm

Post by smathis »

I submitted a pull request to whitelist the two VMware Clarity JS libraries.

https://github.com/easylist/easylist/pull/683

Given that EasyList is _already_ whitelisting a domain blocked by "clarity-*", I see no harm in this addition. I restricted it to same server as well.
Locked