Click2load initiated frame makes request without "Referrer" param; breaks certain embeds

[tyaremco]

Prerequisites

• I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
• This is NOT a YouTube, Facebook or Twitch report. These sites MUST be reported by clicking their respective links.
• This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• The issue is not present after disabling uBO in the browser.
• I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

• uBO is the only extension.
• uBO uses default lists and settings.
• using a new, unmodified browser profile.

Description

When using the click2load redirect, eg.

||*/*embed*$3p,frame,redirect=click2load.html,domain=godlikeproductions.com
testing page

after clicking to load the embed, the request is made without the original Referrer present in the Header. Certain sites like Youtube can enforce a policy (1) to not load unless it has this value (eg. resulting in the "video player configuration error").

Therefore, the embedded content will fail to load if initiated from click2load but successfully loads otherwise.

Note that this is NOT a Youtube-specific issue, it's just an oversight in the click2load feature that can clash with server-side policy.

1. yt docs:

API Clients need only ensure they are not setting the Referrer-Policy in a way that suppresses the Referer value.
[...] API Clients must not use the noreferrer feature, which suppresses the Referer value.

A specific URL where the issue occurs.

https://www.godlikeproductions.com/forum1/message6100646/pg1

Steps to Reproduce

With uBo enabled at all times...

1. As I understand, not every system is affected by this policy. Manually paste this URL in your browser: https://www.youtube.com/embed/2za2IK8FQoM (which avoids Github being set as the Referrer). You should see the video fail to load and "video player configuration error". Otherwise, you will not be able to fully test this.

2. Open the provided URL from godlikeproductions. Note that the youtube embeds are fully functional.

3. Confirm in dev tools that Referrer is set for the youtube doc in the Request Header

4. Add the click2load static filter to uBO and refresh the page.
   ||*/*embed*$3p,frame,redirect=click2load.html,domain=godlikeproductions.com

5. When attempting to load a frame, you will again receive the "video player configuration error"

6. Confirm in dev tools that Referrer is absent from the youtube doc Request Header

Expected behavior

Click2load initiated frames make the same Request Header as they do during a normal page load, ensuring compatibility.

Actual behavior

Click2load initiated frame makes a request without the appropriate header params (Referrer), resulting in the embed failing to load.

uBO version

1.67.0

Browser name and version

Chromium 138

Operating System and version

Windows 7

[tyaremco]

What would you want the referrer value to be?

The same value that is present when the frame loads normally (without click2load).

[freezer2022]

Preliminarily discussed recently in:

• Block sending Referrer information gorhill/uBlock#3604

[krystian3w]

For YouTube, this seems like new behaviour¹ (at least for me).

Watch the video on YouTube
Error 153
Player configuration error

YouTube did not have this issue in the past. AdGuard MV2 is also unable to cope (And their MV3 version is not worth mentioning – it freezes, and we have a button without text and a bunch of errors in the console after each click on the empty ‘load’ button).

When no tool agrees to return something in the referrer, e.g. example.com (It is possible that extensions may have troubles with a meaningful referrer other than chrome://ID or moz-extension://UUID), it is better to create a list of unfriendly services, something similar to the 451 list.

---

Browser name and version

Chromium 138

The most interesting thing is that the video in the quote has an ugly ‘blocked by extension’ message in Chromium 142 (as if only the first frame could be redirected and the rest was ruined by bugs in MV2 that would have to be fixed by the community in forks, when it makes no sense to modify uBO for the last few Chromium versions; By the way, if AdGuard had the same problem, it has already fixed it, so they would only have to deal with MV3 and this "error 153"):

screens

---

Seems fine with fool as example.org:

https://addons.mozilla.org/addon/referer-modifier/ (Needs refinement so that it doesn't break github.com, for example)

For Chromium maybe:

https://chromewebstore.google.com/detail/referer-spoofer/khejlgjhghlpadddldphknbnifkahghn (I haven't tested it)

In that 2 add-ons, it seems that it is not possible to create a match for a path such as /embed/, or it is difficult to do so (so can fools real opened page in tab/window).

The only problem with enforcing something other than a higher frame or main frame is blocking video embedding on overly popular website (And we will come full circle again).

Footnotes

1. older sample https://invisioncommunity.com/forums/topic/485295-youtube-embeds-fail-error-153-when-site-wide-referrer-policy-is-set-to-no-referrer/. Preliminarily, from a minimum of 19 days, we can no longer use such a surrogate (but can be 131 days, according to Google documentation). ↩