Google Funding Choices

ihateads

New Member
tl;dr Blocking fundingchoices.google.com and fundingchoicesmessages.google.com at the network level still shows a sticky footer on affected pages. This is due to an inline script that base64-encodes the strings which trigger the functions and message. Adding #%#//scriptlet('abort-current-inline-script', 'atob', '/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?/') blocks them. However, this solution may be too broad and feedback based on my research is welcome.

Example sites
https://thehill.com
https://www.word-grabber.com
https://www.cnnturk.com

Steps to reproduce ad/annoyance:
  1. Block fundingchoices.google.com and fundingchoicesmessages.google.com. I added these to my NextDNS deny list, but ||fundingchoices.google.com and ||fundingchoicesmessages.google.com should work in your AdGuard User rules filter.
  2. Visit one of the example sites above.
  3. Note that although the network requests are blocked, a yellow sticky footer appears on the page with the string, "You are seeing this message because ad or script blocking software is interfering with this page." (See word-grabber.com example screen shot.)
Searching the page's source code for the string shown in the message yields no matches. Upon closer review of the code, we find an interesting inline script which makes the following call:

Code:
window.__475an521in8a__("WyIyMzI3MjAzZjFhZjIxOTMyIixbbnVsbCxudWxsLG51bGwsImh0dHBzOi8vZnVuZGluZ2Nob2ljZXNtZXNzYWdlcy5nb29nbGUuY29tL2YvQUdTS1d4VU5JdlkwQk1FaG9uV0RtNng5eWg0Q0I3NGhpQWM4cDFjLXF3bzhsQ25zV1RHLVRxajlyV1BSSkhzTFJhOUtRQVhhVU0yZHFiUnB2RGZrVk9HbSJdCiwyMCxudWxsLDEwMCxudWxsLCJodHRwczovL2Z1bmRpbmdjaG9pY2VzbWVzc2FnZXMuZ29vZ2xlLmNvbS9sL0FHU0tXeFdfWWZEVjgyY0ZVQWt4blVvdzRJUkNMbTR2R25zZEVLQ1RFWW03WF9INHQ5NW1MWF9ZZFBtZXpsRnFFU3JkS1p6eFdRVVBtZFhEeVk4ZlVlWVU/YWJcdTAwM2QxIiwiaHR0cHM6Ly9mdW5kaW5nY2hvaWNlc21lc3NhZ2VzLmdvb2dsZS5jb20vbC9BR1NLV3hWSFJqOWVkNTUwOERXVEVwVFN2NENoVUlTSGUtbWpxbUtNTldEWEhPUDk5NE52RkcwYVIzV1E0T1NWV2c5d0JpeHZsSHhkY1hKaWhNSGxKTkVRP2FiXHUwMDNkMlx1MDAyNnNiZlx1MDAzZDEiLCJodHRwczovL2Z1bmRpbmdjaG9pY2VzbWVzc2FnZXMuZ29vZ2xlLmNvbS9sL0FHU0tXeFh3VVJsYld3OHRVZDhtMlhDQmRidHRwWkV5VzlCYVVZMEprSEVjblU4Y3MyN2xFVjlFb1Q3M0Q4Q3U4cFdVYW13QkkwSlVzTXVFQUVQeUxnZTc/c2JmXHUwMDNkMiIsIk1qTXlOekl3TTJZeFlXWXlNVGt6TWdcdTAwM2RcdTAwM2QiLFtudWxsLG51bGwsbnVsbCwiaHR0cHM6Ly93d3cuZ3N0YXRpYy5jb20vMGVtbi9mL3AvMjMyNzIwM2YxYWYyMTkzMi5qcz91c3FwXHUwMDNkQ0FrIl0KLCJkaXYtZ3B0LWFkIl0K");
(See CNNTurk.com Source Code screenshot.)
I used a decoder tool to see if I could figure out if the string is readily decoded. It is: it's base64 encoded. The obfuscated code reads:
Code:
["2327203f1af21932",[null,null,null,"https://fundingchoicesmessages.google.com/f/AGSKWxUNIvY0BMEhonWDm6x9yh4CB74hiAc8p1c-qwo8lCnsWTG-Tqj9rWPRJHsLRa9KQAXaUM2dqbRpvDfkVOGm"]
,20,null,100,null,"https://fundingchoicesmessages.google.com/l/AGSKWxW_YfDV82cFUAkxnUow4IRCLm4vGnsdEKCTEYm7X_H4t95mLX_YdPmezlFqESrdKZzxWQUPmdXDyY8fUeYU?ab\u003d1","https://fundingchoicesmessages.google.com/l/AGSKWxVHRj9ed5508DWTEpTSv4ChUISHe-mjqmKMNWDXHOP994NvFG0aR3WQ4OSVWg9wBixvlHxdcXJihMHlJNEQ?ab\u003d2\u0026sbf\u003d1","https://fundingchoicesmessages.google.com/l/AGSKWxXwURlbWw8tUd8m2XCBdbttpZEyW9BaUY0JkHEcnU8cs27lEV9EoT73D8Cu8pWUamwBI0JUsMuEAEPyLge7?sbf\u003d2","MjMyNzIwM2YxYWYyMTkzMg\u003d\u003d",[null,null,null,"https://www.gstatic.com/0emn/f/p/2327203f1af21932.js?usqp\u003dCAk"]
,"div-gpt-ad"]
We're getting warmer.

Examining the inline script some more, we find another base64-encoded string:
Code:
WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg==
Decoded:
You are seeing this message because ad or script blocking software is interfering with this page.
Bingo. We found our annoyance.

A quick source code search shows the obfuscated line is used on at least 263 sites at the time of this post. A diff of the inline code between word-grabber.com and thehill.com shows the base64-encoded string is consistent, despite several differences elsewhere in the scripts (see line 128).

So, how do we block this?

My first thought was to block the top-level call. My search reveals at least 207 sites use window.__475an521in8a__ and 56 sites use window.__d3lUW8vwsKlB__. (Which adds up to 263 total sites, indicating there's probably just the two versions of the inline script.) Sadly, adding #%#window.__475an521in8a__ = undefined; and #%#window.__475an521in8a__ = function() { return true; }; didn't seem to work.

My next thought was to block the method which calls:
Code:
atob("WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg==")
So I tried this:
Code:
#%#//scriptlet('abort-current-inline-script', 'atob', '/WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg==/')
That worked! :D

The next question I wondered is whether I could catch all calls to atob() that are base64-encoded. According to the documentation, the abort-current-inline-script scriptlet allows a regex as a search parameter. After finding a suitable base64 regex, we arrive at the following solution which covers our bases (no pun intended):
Code:
#%#//scriptlet('abort-current-inline-script', 'atob', '/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?/')
That solves the problem, but I'm concerned that it's indiscriminate given that it blocks any method which uses atob() to decode base64-encoded strings. Feedback about further refining this scriptlet to block only Google Funding Messages is welcome.

P.S. Although the DOM structure is consistent, the class names are not. Targeting the rendered CSS i.e., bottom: 0px; left: 0px; position: fixed; box-shadow: rgb(136, 136, 136) 0px 0px 12px; display: flex; justify-content: center; font-family: Roboto, Arial;, is a potential second approach. Interestingly, the background color is slightly different on different pages, yet renders a shade of yellow and the z-index is greater than 2147483000—at least on my computer.
 

Attachments

Alex302

Filters Developer
Staff member
Administrator
@ihateads Hi. Please check this rule:
Code:
body > div[class][style*="position: fixed; width:"][style*="z-index: 21474"][style*="justify-content: center; font-family: Roboto, Arial;"]
It does not break the script, but more safe and simple than scriptlets.
 
Top