You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 21, 2021. It is now read-only.
While I was browsing medium.com (e.g. https://medium.com/the-city-independent/a-surprisingly-simple-way-to-reduce-traffic-in-your-city-overnight-f3841d281228), I noticed that the sub-frames are referenced to the site itself and then includes another frame from embedly.com. But uMatrix did not show a "blocked frame" data blob.
Then I noticed the web site sets some CSP rules that blocks data: scheme for frames. I tried to add that through the following functions modifying response headers: onMainDocHeadersReceived:https://github.com/gorhill/uMatrix/blob/master/src/js/traffic.js#L574 onSubDocHeadersReceived:https://github.com/gorhill/uMatrix/blob/master/src/js/traffic.js#L680
It seems (and should be) that Chrome permits a request only if all related CSPs allow, so rule modification should not be simply pushed into headers but be done on existing one(s) if already exist(s). When I tried this it worked. So I think if a website already declares CSP header(s) then those functions should add "data:" scheme to allow on frame-src's.
The text was updated successfully, but these errors were encountered:
Yes, I wrote a TODO note in the source that I should do this.
I am pretty certain I read a long time ago when I started to use CSP that the doc said something like, "if multiple CSP headers exist, the most restrictive directives win". No longer sure if I read this right or whetehr they change the spec meanwhile. In any case, this definitely need to be solved, as more and more site will start to use CSP headers I suppose.
While I was browsing medium.com (e.g. https://medium.com/the-city-independent/a-surprisingly-simple-way-to-reduce-traffic-in-your-city-overnight-f3841d281228), I noticed that the sub-frames are referenced to the site itself and then includes another frame from embedly.com. But uMatrix did not show a "blocked frame" data blob.
Then I noticed the web site sets some CSP rules that blocks data: scheme for frames. I tried to add that through the following functions modifying response headers:
onMainDocHeadersReceived:
https://github.com/gorhill/uMatrix/blob/master/src/js/traffic.js#L574onSubDocHeadersReceived:
https://github.com/gorhill/uMatrix/blob/master/src/js/traffic.js#L680It seems (and should be) that Chrome permits a request only if all related CSPs allow, so rule modification should not be simply pushed into headers but be done on existing one(s) if already exist(s). When I tried this it worked. So I think if a website already declares CSP header(s) then those functions should add "data:" scheme to allow on frame-src's.
The text was updated successfully, but these errors were encountered: