DNR block rules with lower priority override redirect rules with a higher priority

[lenacohen]

A lower-priority DNR block rule that matches a request is being applied before a higher-priority DNR redirect rule that matches the same request, preventing the redirect from occurring. The only way to get the high-priority redirect rule to occur is to remove the DNR block rule.

Steps to reproduce:

• Create/install a web extension on Safari with the declarativeNetRequest and declarativeNetRequestWithHostAccess permissions
• Open the Web Extension Background Content console and add a redirect rule with a high priority number. For example:

await chrome.declarativeNetRequest.updateDynamicRules({addRules: [
    {id: 5000, condition: {urlFilter: "||www.google-analytics.com*/ga.js", resourceTypes: ["script"], domainType: "thirdParty"}, priority: 80, action: {type: "redirect", redirect: {url: “http://www.apple.com/”}}}
]})

• Add a block rule of lower priority for the same urlFilter:

await chrome.declarativeNetRequest.updateDynamicRules({addRules: [
    {id: 5001, condition: {urlFilter: "||www.google-analytics.com^", domainType: "thirdParty"}, priority: 1, action: {type: "block"}}
]})

• Visit https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html

• Check the network tab and see that neither a request to Google Analytics nor apple.com appear. This means that the request to Google Analytics was blocked instead of being / before being redirected

• Remove the block rule:
  await chrome.declarativeNetRequest.updateDynamicRules({removeRuleIds: [5001]})

• Reload https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html.

• Check the network tab and confirm that there is a request to apple.com, showing that the redirect rule is only applied if the lower-priority block rule is removed. The priority of the DNR rules should handle this without having to remove a DNR rule.

Demo Xcode extension: https://github.com/lenacohen/Safari-Test-Extensions/tree/main/dnr-redirect-block-priority

• Test demo extension on https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html
  • google-analytics.com request should be redirected but is blocked instead

Apple Feedback Assistant Bug Report: FB16535579
Apple Developer Forum Post
Safari version 18.3
MacOS Sequoia 15.3.1

[lenacohen]

Still an issue when I tested on Safari Technology Preview Release 215

[ghostwords]

This breaks our "surrogate" scripts and advanced surrogate API click-to-activate widget replacements.