Here, you find the source code to the NDSS 2021 submission Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI. Furthermore, we release the manually labelled set of site connections here.
Download the zipped source code package. You can then make use of our provided Docker container by issuing the following two commands:
docker build -t smurf .
docker run --cap-add=SYS_ADMIN -it smurf:latest /bin/bash
If you want to install it locally you need a working Node and NPM installation depending on your system and additionally need to install our dependencies throug invoking
npm installNote that depending on your operating system, you may have to modify config.executablePath (in arguments.js) to point to your installation of Chrome/Chromium.
To run the toolchain, you can simply invoke smurf.js and pass the URL you want to check.
node smurf.js --url https://realtor.comThis will visit https://realtor.com and generate a simplified inclusion tree of the main frame. It will print those chains which exhibit more than two parties according the the eTLD+1. Additionally supplying the --showCspResults as a command line parameter will provide the results of our incompatibility analysis of the observed behavior aggregated to hosts.
$ node smurf.js --url https://realtor.com --showCspResults
[SMURF] Starting chrome...
[SMURF] Setting up...
[SMURF] Visiting https://realtor.com
[SMURF] Please wait up to 30 seconds
[SMURF] Loaded https://www.realtor.com/
[SMURF] Inclusion analysis:
https://www.realtor.com/
===>
===> https://static.criteo.net/js/ld/publishertag.prebid.js
https://www.realtor.com/assets/prod/c3d00b9/_next/static/runtime/main-3d44de64d2d764f35183.js
===> https://www.realtor.com/rdc_user_check.js
===> https://www.realtor.com/assets/prod/c3d00b9/_next/static/chunks/64.96b7b41f05d066991906.js
===> https://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js
===> https://assets.adobedtm.com/6809d1ba6f0c/c4bef609fe0d/launch-b1aeef4798eb.min.js
======> https://connect.facebook.net/en_US/fbevents.js
===> https://connect.facebook.net/en_US/sdk.js
===> https://apis.google.com/js/api:client.js
===> https://apis.google.com/js/platform.js
https://securepubads.g.doubleclick.net/tag/js/gpt.js
===> https://adservice.google.de/adsid/integrator.js?domain=www.realtor.com
===> https://securepubads.g.doubleclick.net/gpt/pubads_impl_2020072701.js
===> https://adservice.google.com/adsid/integrator.js?domain=www.realtor.com
=========================================================================================================
[SMURF] CSP analysis:
{
strictDynamicViolator: Set(1) { 'securepubads.g.doubleclick.net' },
inlineScriptWritingHosts: Set(1) { 'www.realtor.com' },
inlineHandlerWritingHosts: Set(4) {
'www.realtor.com',
'securepubads.g.doubleclick.net',
'ajax.googleapis.com',
'assets.adobedtm.com'
},
evalUsingHosts: Set(2) { 'www.realtor.com', 'c.amazon-adsystem.com' }
}
=========================================================================================================
=========================================================================================================
[SMURF] Order (in each block)
[SMURF] - The first URL caused the avalanche of inclusions, if it is the loaded URL it was initiated by an inline script
[SMURF] - The last URL was the finally included script caused by all above it
[SMURF] Indentation
[SMURF] - Indentation indicates inclusion depth
[SMURF] - Same indentation indicates that one resource included multiple further resources
[SMURF] Colors
[SMURF] - Same color means same party (uses eTLD+1 without extended same-party)
[SMURF] - If more parties than colors available, grey is used for the remaining
[SMURF] - Colors are reset between blocks
[SMURF] Trees are simplified to get useable output on the console
[SMURF] - Only prints scripts with at least two different third parties in the subtree
=========================================================================================================