This repository has been archived by the owner on Jul 21, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 470
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
reliably report web worker and inline script presence
- Loading branch information
Showing
5 changed files
with
143 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes ok, I will reverse the change for inline scripts (can't for web workers, I need this to detect their use without using a invasive wrapper which I am not sure would be 100% reliable), and accept that uMatrix is unable to guarantee 100% detection of inline script on a page: #485 (comment).
Note that I changed my mind re. not using a CSP report, because of the two following things I became aware:
about:blank
as report-uri does not prevent thesecuritypolicyviolationevent
from being fired (this means no spurious network requests fired, NoScript useshttps://noscript.invalid/
) -- I just wish browser devs would allow non-network URI as argument toreport-uri
.821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Edit: this was an answer to @uBlock-user's (now removed) comment
If you are blocking 1st-party script, I can't prevent the console spamming (this was brought up in a distant past in here somewhere). But if you are not blocking 1st-party script, I can prevent it as explained above. I looked into this and finally decided that the spamming for when 1st-party scripts are not blocked will end up being annoying to many users, the alternative is acceptable. As said however, I can't do this for web workers, but they are no where near as common as inline scripts.
821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I was trying to edit my comment and accidentally removed it. I can't get it back. Nvm, do what you think is best.
821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not unconditionally. When web workers are not forbidden, it injects only a
Content-Security-Policy-Report-Only
([Report Only]
), which does not prevent web workers from being used. Be sure you reload with bypassing the cache after you allow web workers, it's sometimes needed to prevent the browser from using the old headers.821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes ok, there is an issue. Investigating.
821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workers are not blocked, I can see them appearing in the debugger. There is something going on in there.
821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, the "Continue with Google" button does not work even after I disable all extensions.
821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to enable 3rd-party cookies, blocking 3rd-party cookies break the log in with Google.
821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I got it working with uMatrix, but I had to disable the "Block third-party cookies" setting in the browser. So not a uMatrix issue.
821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I explained above. It's necessary for uMatrix to be able to report both in the logger and the popup panel UI that a site is using web workers. When you enable the switch, uMatrix will inject a "report only" headers so that it can still report web worker usage. Without this, it would be impossible to report when web workers are in use, which is key information for a user in deciding whether web workers should be blocked or not.
Let's assume web workers are not blocked by default. Go to
https://csgoconfigs.com/
. That site immediately creates web workers (assuming 1st-party scripts are enabled). This will be reported in the logger and panel UI (the dot in the switch). So now users know what the site is doing.821e457
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When web workers are enabled, it's injecting a
Content-Security-Policy-Report-Only
header, not aContent-Security-Policy
one.