This repository has been archived by the owner on Jul 21, 2021. It is now read-only.
Taking Blocked Frames Further #129
Labels
Comments
|
Yes, I wrote a I am pretty certain I read a long time ago when I started to use CSP that the doc said something like, "if multiple CSP headers exist, the most restrictive directives win". No longer sure if I read this right or whetehr they change the spec meanwhile. In any case, this definitely need to be solved, as more and more site will start to use CSP headers I suppose. |
|
Excellent test case: |
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
While I was browsing medium.com (e.g. https://medium.com/the-city-independent/a-surprisingly-simple-way-to-reduce-traffic-in-your-city-overnight-f3841d281228), I noticed that the sub-frames are referenced to the site itself and then includes another frame from embedly.com. But uMatrix did not show a "blocked frame" data blob.
Then I noticed the web site sets some CSP rules that blocks data: scheme for frames. I tried to add that through the following functions modifying response headers:
onMainDocHeadersReceived:https://github.com/gorhill/uMatrix/blob/master/src/js/traffic.js#L574onSubDocHeadersReceived:https://github.com/gorhill/uMatrix/blob/master/src/js/traffic.js#L680It seems (and should be) that Chrome permits a request only if all related CSPs allow, so rule modification should not be simply pushed into headers but be done on existing one(s) if already exist(s). When I tried this it worked. So I think if a website already declares CSP header(s) then those functions should add "data:" scheme to allow on frame-src's.
The text was updated successfully, but these errors were encountered: