Pages can detect uMatrix's presence with pure CSS

[ThrawnCA]

From https://forums.informaction.com/viewtopic.php?p=80443#p80443:

It seems there is no way to disable completely µMatrix editing the DOM of a page when it blocks things like images. This means that in default configuration µMatrix can be detected by web pages, and even disabling the placeholders it can still be detected by the web page that something blocked the image load (even using pure CSS - e.g. #someElement > img:not([src="<original_image_src>"]) type selector). Also it is not possible to copy a blocked image's URL out of the DOM.

Please add a way to completely disable µMatrix editing the DOM. Or if it already exists, please document it. Thanks.

[gorhill]

I will fix providing the URL of the blocked image as noted, but I won't fix "pages can detect uMatrix's presence with pure CSS": there is no such thing as [src=""] when enabling the collapsing of placeholder (see) -- the src attribute is not modified in such case. Blocking stuff will always causes the DOM to be different than not blocking stuff (the error event will be raised for blocked images), it's an impossible mission to block stuff without leaving a trace, and this is also true for NoScript.

[gorhill]

I gave more thoughts on this. To recapitulate:

• Placeholders collapsed = display: none !important; style added to blocked images/frames.
• Placeholders not collapsed = data URI assigned to src of blocked images/frames to provide the visual cue something was blocked by uMatrix (similar to what RequestPolicy does). If I remember correctly though, RequestPolicy saves the original URL into a custom data- attribute (I vaguely remember because of this).

What you are asking is:

• Placeholders not collapsed + no special visual cue uMatrix blocked something, i.e. fall back on browser's default behavior.

[ThrawnCA]

Yes, your recapitulation is correct. In case it wasn't clear, the reason for asking for this option is that falling back on browser default behavior and making no changes to the DOM means that blocking detection requires JavaScript and it becomes impossible for a web page to figure how or where the blocking was done: there would be no way to tell that something in the browser is doing the blocking vs a network error or "error ;) " of some sort.

By contrast, changing the web page's DOM necessarily means that there is a CSS selector that can detect the change and thus pure CSS can alter the page's look & behavior in undesirable ways. (I think barbaz at informaction sent you a PM there with more info)

Also some text was stripped out of the CSS selector, that was supposed to say [src="original_image_src"]
And probably should have said "it can still be detected by the web page that something in the browser blocked the image load" in the description.

[Okamoi]

Hi,

What is the state of things regarding this issue with WebExtensions ? It is rather nice that websites are unable to detect blocking unless they have JavaScript.

[laniakea64]

What is the state of things regarding this issue with WebExtensions ?

It's the same. This is just as much an issue in uMatrix/webext as it was in uMatrix/legacy.

(btw I'm actually the original reporter. Thanks ThrawnCA for helping me with this until I could sign up on Github 👍 )

[laniakea64]

I can confirm this is fixed in b2e760f with the setting imagePlaceholder false. Thank you gorhill! 😄