µBlock, a lean and fast blocker

That article refers to the Webp vulnerability (CVE-2023-4863) that has been patched in browsers.
I have personally elsewhere recommended a different rule in unpatched browsers.
However, it only works with declared webp files.
Likewise the rules in your article.
This would not be limiting because the exploit image is a (nearly invisible) webp image that could be injected into a legitimate website.
I insert a non-malicious example:


https://raw.githubusercontent.com/mistymntncop/CVE-2023-4863/main/bad.webp

 

Yes, all important browsers have it patched. Nevertheless, some people don't like webp.

 

I wonder why...

 

Personally I have no problem with webp. If you google then you will find concerns about compatibility and image-quality. Also there was a vulnerability problem. I think further discussion about it, would be off topic. But if someone wants to know more, then an interesting article could be: https://www.makeuseof.com/windows-chrome-saving-images-as-webp/

 

in fact there "was", no more.
its one to block webp and get bigger jpg or png files instead* for any reason, or to spread information about already fixed issues. also png and jpg had and currently have vulnerabilities, forgot?
https://securelist.com/png-embedded-malicious-payload-hidden-in-a-png-file/74297/
https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware
https://arstechnica.com/security/20...-jpg-and-txt-files-under-exploit-since-april/
at least you have to block all types of image, dont you?

BTW the links on the mozilla page to cve and more are not public because the vulnerability is still ITW and will threaten users with older browser - where my mercy is very limited.

 

Good reasoning, besides web devs are increasingly using webp format, so it seems.

 

But that won't automagically convert .webp to .jpg...

Instead, you can fool the page to serve you the real .jpg (or .png) with the extension "Don't Accept image/webp".

If these are not available on the server, just convert the saved .webp locally with a convenient .bat file:

Code:

@ECHO OFF
FOR %%a IN ("*.webp") DO ffmpeg -i "%%a" -qmin 1 -q:v 1 -bsf:v mjpeg2jpeg "%%~na".jpg

(`-qmin 1 -q:v 1` saves in best possible quality)
Of course FFmpeg must be in you PATH.

Linux command:

Code:

for i in *.webp; do ffmpeg -i "${i}" -qmin 1 -q:v 1 -bsf:v mjpeg2jpeg "${i%.webp}.jpg"; done

The 277KB .webp image from your example is then converted into a 723KB .jpg.

 

Exactly, there was. There's no point trying to block loading of webp images if you use an updated chrome or firefox browser, imho.

 

The image URL is:

Code:

https://www.emsisoft.com/wp-content/uploads/2021/08/eam-hero-b.jpg.webp 

It obviously saves as .webp.
No idea why they gave it a double extension...

But with the extension I mentioned above, they serve you a .jpg instead.
(not available for Chromium browsers...)

 

@nicolaasjan

This extension is available in Chromium-based browsers:

https://chromewebstore.google.com/detail/converti-webp-in-jpg/lioppfcbaohgghplacfgajfhbpmlhnbc

Maybe converted image too weighs.

 

Thanks to a member of another forum pointing out this yokoffing github link, I've been using the "Pro" Setup Example for about a week now, and it's been serving me better than any other uBO setup I've ever used before

Code:

"selectedFilterLists": [
    "user-filters",
    "ublock-filters",
    "ublock-badware",
    "ublock-privacy",
    "ublock-quick-fixes",
    "ublock-unbreak",
    "easylist",
    "easyprivacy",
    "urlhaus-1",
    "plowe-0",
    "ublock-annoyances",
    "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt",
    "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/BrowseWebsitesWithoutLoggingIn.txt",
    "https://raw.githubusercontent.com/yokoffing/filterlists/main/privacy_essentials.txt",
    "https://raw.githubusercontent.com/yokoffing/filterlists/main/annoyance_list.txt",
    "https://raw.githubusercontent.com/yokoffing/filterlists/main/youtube_clear_view.txt",
    "https://filters.adtidy.org/extension/ublock/filters/2_optimized.txt",
    "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/personal.txt",
    "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt",
    "https://raw.githubusercontent.com/stephenhawk8054/PrivacyExtended/main/privacy_extended.txt"
  ],

The only filter of my own I'm currently using is a cosmetic one to get rid of those annoying google call-outs: ||ogs.google.ca/widget/callout$subdocument

 

Yes, I have used a similar one (900.000 users).
But the Firefox one I mentioned does more: it prevents the serving of .webp, if possible.
(the .jpg or .png images that the server then sends are of better quality also, though larger in size)

But I think we are a bit offtopic now.

 

Ai, I have 496 filters of my own.

Do you mean this with Google callouts?:



(Ungoogled) Chromium doesn't have that.

 

This is a big news in the next stable version:

https://github.com/gorhill/uBlock/commit/bd7ce41224

 

I would like to use this rule in "my filters" and remove the JShelter extension:

Code:

*##+js(nowebrtc)

But I have some problems in some websites.
I wonder if the new rules introduced in UBO can disable WebRTC in a less aggressive way.

 

i had a bunch of my own, which are all backed up, but I wanted to wipe the slate clean with the yokoffing setup.

no actually this one:



I have ungoogled-chromium installed, but unfortunately it won't play video content from tsn[.]ca Chrome will, but not ungoogled or Chromium.

 

@Stupendous Man
Concerning your .gif issue on volkskrant.nl
I used next setting in uBO and the gif image didn't show up.


I didn't research further, but it seems that most other images are unaffected.
Perhaps it's not the solution you really want, but it's a possibility.

 

Yes, I encountered this today in my Dev version (1.54.1b12):

 

Ah, thanks very much, Jan Willy.
Clever thinking, differentiating on image size.
Those GIFs at Volkskrant.nl are enormous in comparison to the regular images.
However, as I don't want uBlock Origin to block other media elements, not at other sites either, I would need to find a 'sweet spot' for the selected file size so that GIFs at Volkskrant.nl are blocked and nothing else.
Thanks again for the clever thinking.

 

As I don't use or even have a Google Account, I use this filter rule to block those 'Sign in to Google' annoyances :
||accounts.google.com/gsi/iframe/select$subdocument

I don't remember if uBlock Origin element picker mode offered the one that you chose, and if so, why I selected the one that I chose. Anyhow, it works nicely.

 

Nice I did use uBO element picker to create the one I use.

 

Does anyone have an optimal and/or lite setup that blocks a lot of crap but doesn't eat resources for Brave Ihttps://pasteboard.co/HQNk1NTMnszT.jpg do have a good ram but I think my list of 110k net and 44 cosmetic is a bit much no?

 

I do not know about Brave.
I use Firefox snap on Kubuntu on old hardware with 4 GB RAM, and uBlock Origin with 109k network filters + 119k cosmetic filters, and I think it feels quite snappy.