Determine that the user has Wikipedia blocked.

Roskomnadzor recently attempted to block access to Wikipedia from the territory of the Russian Federation . The attempt failed , and it's time to go to the counter. In the article under the cut, I will show that if user X has visited site A, then site A can determine if another site B is blocked for the user.

And then, in the emerging tradition , the presentation will go in question-answer form.

What is it all for?

When discussing the blocking of Wikipedia, the community noticed two circumstances that are very beneficial to censorship. First, Wikipedia uses HTTPS and, moreover, HSTS. This means that an encyclopedia can only be blocked entirely (with an accuracy of the domain), but it cannot be redirected to the notorious page with a message about blocking. Instead, a connection establishment error message is displayed. This looks like an internal problem of Wikipedia and alleviates the user's dissatisfaction with the actions of Roskomnadzor; At the same time, feedback is necessary for the development of a legal state. Secondly, even if users find out about blocking, many of them simply won’t know what to do. Hang a permanent die “If you block Wikipedia, download Tor Browser!” On non-caring sites at least strange; At the same time, notifying users about blocking Wikipedia and ways to circumvent it is necessary. The solution of the problem and trying to give this article.

What is it all about?

This is a fairly universal way to determine the availability of virtually any (previously investigated) site on the client side, using Javascript.
')
UPD: According to the advice of comrades bakhirev and xobotyi, the mechanism of work has been changed. The most interesting part with entertaining geometry turned out to be unnecessary, the definition was rewritten on events.

I want a demo!

You are welcome!

The same entertaining geometry is to print when prohibiting cross-domain events for images.

How it works?

An invisible block of HTML code is created, containing two images: one control - from a knowingly non-existent URL, the second signal - any image from the checked site. If their sizes coincide after some time, it means that the image from the checked site has not loaded, that is, it either “lies” so much that it cannot give even static, or is blocked.

And more?

An image in HTML, inserted by the img tag, is by default defined by the image file itself. The image that failed to load, also has some dimensions - in different browsers are different. Here they are (width x height):

Firefox 37.0 - 24x24
Chrome 44.0.2403.155 - 0x0 (before loading), 20x20 (with unsuccessful loading)
Opera 12.16 - 114x22

You can get the size of an item in Javascript using the properties of the .offsetWidth and .offsetHeight element

And if suddenly the signal image in size coincides with what the browser displays on error?

This is rather unlikely, given that both width and height are compared. You can request two images of obviously different sizes and compare their sizes. If they match, the download failed. And yet it is better not to pull favicons as the only images.

And the source?

On the githaba under GPLv3.

And how to use it all?

I tried to make the code readable, although, of course, this does not free me from giving an example.

chasAntidot.testSiteWithImg({ url: 'https://ru.wikipedia.org/static/images/project-logos/ruwiki.png', //URL - ifBlocked: function(){message('');}, //callback,   ifNotBlocked: function(){message(' ');}, //callback,    time: 3500, //    ,   4000 secondImage: 'https://ru.wikipedia.org/favicon.ico', //URL   -  });

No additional jQuery type libraries are required, all on pure JS.

Well, I am ready to inform my users about the possible blocking of Wikipedia! Can I get the code ready?

First, in any case, the library itself is better to download to your site. imtqy.com is not insured against blocking. Secondly, for pure JS such an option is possible, for example:

 chasAntidot.createBanner( ', <a href="https://ru.wikipedia.org"></a> . <a href="http://rublacklist.net" target="_blank">,   !</a>', { url: 'https://ru.wikipedia.org/static/images/project-logos/ruwiki.png', secondImage: 'https://ru.wikipedia.org/favicon.ico', } );

This, of course, works, but not very nice :) Patches that add features to create banners using various libraries are welcome!

And if Wikipedia really falls?

In this case, you can use a similar mechanism by comparing the availability of images directly and through some anonymizer. In this case, the resource can be considered blocked if and only if the image is visible through the anonymizer, and not directly. True, the anonymizer can also be blocked, and then you have to check its availability too - for example, by requesting a picture from the RKN site itself.

Where else is there any sense of this in the national economy?

The mobile version of Wikipedia will be able to warn users about the blocking of the desktop (they are at different addresses and on different domains), and vice versa.
By installing a script with a similar principle of operation on the page, the webmaster will be able to change links to a finite number of blocked resources for links through a proxy on the fly. There is no ready decision, but patches are accepted.
You can accurately identify users who have blocked (it does not matter, the licensor or employer) favorite site (VKontakte, etc.) and offer them to buy a VPN / proxy or use a free proxy with advertising.
~~You can~~ not determine on the client the fact of using TOR / I2P, thus requesting a picture from the domain .onion / .i2p
Want to know if your IPv6 user is active? Just upload a picture to some IPv6 address. Or use the pictures on the servers of someone large (like Google), supporting the new protocol.
And in some cases, you can determine the DNS, which is used by the client. For example, OpenNIC and other NameCoin / .bit
In web interfaces of routers there are also pictures! This means that the model of the router, if desired, can also be determined, even if the web interface is not accessible from the outside.
Finally, you can check the belonging to a particular network. For example, some providers have entire subdomains with sites that are accessible only to their subscribers. Is there not a single picture there? You can check and belonging to corporate networks - if, of course, know what resources are available only from the inside. Maybe you want to show something special to users who access the network via WiFi from the Moscow metro? From the widespread cafe network? Then you should look for pictures on the corresponding authorization page that are accessible only from the inside! Although it must be admitted that the definition of IP is sometimes more justified.
It is impossible to check the presence of any extension that has separate image files using the chrome extension URLs. I always get a "broken" picture.
In some older browsers (IE6?), Which do not block access to local images, you can probably determine the versions of applications installed by the user (Libre Office, GIMP, MS Office, Adobe Photoshop, etc.) with fairly good accuracy - it’s enough to know What pictures of what size are typical for each version? Of course, this will work only if the program is installed in the default directory, but, for example, such a technique will allow you to display on the site instructions for installing the program, which is not available to the user, but is necessary for working with the site. In modern browsers, most likely, does not work.

Source: https://habr.com/ru/post/266553/

All Articles