The test "our browser is outdated" can be fooled

Bug
1

I noticed that the latest check on meta.discourse.org or discover.discourse.com to avoid viewing pages in modern mode on e.g. Firefox 115.27.0 can be circumvented by uBlock Origin, AdGuard, or even AdBlock/Adblock Plus:

! One of the four is sufficient:
meta.discourse.org##+js(aopw, unsupportedBrowser)
! Less stable:
meta.discourse.org##+js(set, unsupportedBrowser, undefined)
meta.discourse.org##+js(set, unsupportedBrowser, false)
meta.discourse.org##+js(set, unsupportedBrowser, '')
! Once every few dozen views, race mode may occur when using the set-constant version, causing the content blocker to fail when we rely on it, and the correct preview will be enabled in simplified HTML.
  • aopw = abort-on-property-write[1]
  • set = set-constant[2] (override-property-read for AdBlock and ABP)

Perhaps it should use a more secure method? One now visible disadvantage is that footnotes inserted into replies or introductory posts definitely do not work with this trick (Perhaps it is using CSS (other than the known issue with Relative Colour Syntax) or JS that is too new).

  1. Resources Library · gorhill/uBlock Wiki · GitHub #abort-on-property-writejs- ↩︎

  2. Resources Library · gorhill/uBlock Wiki · GitHub #set-constantjs- ↩︎

2

Sorry, can you expand a bit.

You are saying that any default install of uBlock Origin on an old browser bypasses our check?

1 Like
3

I will add STR:

  1. Install uBlock Origin from the official store in Firefox 115.27.0, as there are no major new features in the Manifest V2 API for Firefox add-ons that would cause people to stay on an outdated version of uBO (In other wide-content blockers, the steps are similar (the tab for your own filters may have a different name)).

  2. Go to its settings and the “My Filters” tab.

    • At this stage, I would like to point out that no default list dared to add a scriptlet with a long list of commas. Rather, the difficulty level is not too high for only the elite who know the basics of JavaScript by “trial and error” to do the same.

  3. Paste one of the 4 suggestions (the simplicity of all 4 filters means that there is no point in protecting the authorship, as someone came up with them at least a day before me).

    • I assume that there is no “subscribe and forget” list yet, or a script for Tampermonkey/Violentmonkey/Greasymonkey that does the same thing in “install and forget” mode (and the community or a volunteer will take care of constant updates to the list or script).

  4. Open or refresh the forum and the page will load in a “modern” look rather than simplified HTML (if the race condition does not occur when selecting the set-constant-based version).

    • As I wrote, the only visible malfunction is the footnotes not working properly (I don’t know enough about debugging websites to determine what we are missing, as this is not the only failed “Relative Color Syntax” test (the bubble is almost zero in size and not just invisible text, if it were colored relatively)).

    • I did not test whether the login mechanism has any additional security measures to prevent login failure or whether the account is marked as needing to be unlocked by the forum administrator.

      • I haven’t checked whether transferring the necessary cookies/localStorage/sessionStorage allows you to bypass additional login security measures when the forum does not have any browser uniqueness fingerprint tests to prevent users from logging in, or whether any features for logged-in users are also broken.

Perhaps it is enough to enclose the “global variable” in an “anonymous function” invisible to scriptlets/spinnets of wide-spectrum content blockers, when the idea of its dynamic name, e.g. changed every 24 hours at the CDN level, is too costly for the infrastructure.

Other forums that have implemented a simple HTML system view instead of a longer transition period with a less aggressive warning bar under header navigation can be forum.fxsound.com, where apow/set-constant also works for now.