uMatrix is causing iframe data to be mangled in the latest version of chrome

[apschultz]

Chrome Version 63.0.3239.132 (Windows 10, latest creators update)
uMatrix Version 1.2.0

I have an internal webpage for my company that uses many iframes to display content (even iframes within iframes). After allowing chrome to install the latest version, this website no longer works properly. When using the developer console, I can see the page requests for the iframe data is mangled. A small snippet of some of the data:

�‹��í½�`�I–%&/mÊ{�JõJ×àt¡�€`�$Ø�@�ìÁˆÍæ’ì�iG#)«*�ÊeVe]f�@Ìí�¼÷Þ{ï½÷Þ{ï½÷º;�N'÷ßÿ?\fd�löÎJÚÉž!€ªÈ�?~|�?"�ÿ®O¿šÎëj‘�¶û‘ôÃ�–�}òÑe‘_­ªºõ^º*fíü³Y~YLómþc”�Ë¢-²r»™f%Á�ï($�Ó÷Šóôì4=ø>�òc�›i]¬Ú´½^�ø6�×Þýéì2“Oå­�»*–³êj\VS¸ZŽçu~ž~–~Ô.Ú:›¾�ÏÊò÷hæyY~Fôú…M;{™]ä¿°Í�«2kóÏòº^/›õ xç³_¸È›†¾ÿlï£C†þø®tÆ}=þ]¿—/gÅù÷ �å»�ôÒ¦ž~ö‘ûàîÞ½Ýݽ�ÝOïß»�÷^=[eu{}·¬.ö]›ñO7��y}r/La�ŽN„ºÛo¨_�ÖŒ±@y˜NçYÝäíg_½y¶}ðQz—@õÁ¼ÇT��Aëë—FyAüÙ�Ýf�Ôä|½œbZÓf²x^]¼nד­;¿ø—üƉû{¼ª«¶��šö_ü�'iŠ‰Ï�¥æ]¼0Âç³|

Under normal circumstances this would be HTML. I narrowed down the issue to uMatrix by disabling a single plugin at a time. With uMatrix enabled, I see the problem consistently on with my internal website (note: I do have other sites that use far fewer iframes that do not show the problem). With uMatrix disabled, I see the problem with one or more iframes for this particular site. I do not believe it is necessarily related what rules are enabled as my first attempt at resolving the problem was simply to disable uMatrix for the base level domain. That seems to have had no impact on the issue.

I believe it is directly related to iframe processing as I can capture the URL that would be displayed in the iframe, load it as an individual tab, and the data loads completely normally, even with uMatrix enabled for the domain.

Something about this issues seems to be transient as well. As noted above, it doesn't happen to all pages with iframes, only on a particular page that has many iframes. If I refresh the page multiple times, some of the iframes will sometimes load correctly. More curiously, which iframes load correctly seems to change from refresh to refresh.

[gorhill]

Duplicate of #907.

I can't reproduce such issue, so there is nothing I can do. uMatrix injects CSP in response header, please investigate on your side if this is what is causing your issue, and find out why.

[apschultz]

I wouldn't know where to begin to investigate this. If you have a way to prevent the header modification I'd be glad to test or if you know of any other sites/plugins that inject CSP I'd be glad to try those as well. I've never looked at Chrome's code, built or installed a developer edition of chrome so I'm not going to be useful trying to figure out what changed that breaks the way uMatrix handles frames.

[gorhill]

Here is a page with many frames: http://metalelf0.github.io/VimColorSchemeTest-Ruby/python.html

No issue here.

Unless more investigation is made by those how have the issues, so as to make the case the issue is with uMatrix specifically, I will have to close this issue. Could be Chromium, or your internal server (both of you share this trait).

[gorhill]

With uBlock Origin you can force a CSP header to be added to the response headers:

||example.com^$csp=worker-src 'none'

[gorhill]

Also duplicate of #698.

[gorhill]

I looked at ruleset of user in #698, and he was blocking 1st-party scripts, which means uMatrix had to inject a CSP header in order to prevent inline script execution.

uMatrix 1.2.0 injects a CSP header all the time now, in order to detect web worker usage or to block web worker usage.

This suggests there might be a bug in Chromium when it comes to deal with response headers modified by an extension.

[gorhill]

I have an internal webpage

Is the charset declared in the response headers? Otherwise are the pages served with the <meta charset="..."> tag near the top?

[apschultz]

This is infuriating. I'm at home now on my company's VPN and I'm not seeing the issue. I have to use an SWG remotely, so something else may be modifying content.

Here are the response headers currently reported. I'm going to try to see if I can access an internal node to look at the headers I get from the local network.

Cache-Control:private
Content-Encoding:gzip
Content-Length:9848
Content-Type:text/html; charset=UTF-8
Date:Wed, 10 Jan 2018 01:31:05 GMT
Expires:0
Persistent-Auth:true
Server:Microsoft-IIS/7.5
Set-cookie:authrequired=
Strict-Transport-Security:max-age=157680000
Vary:Accept-Encoding
X-Powered-By:ASP.NET

[apschultz]

I was able to reproduce the problem with a fresh install of Chrome in ubuntu with only the uMatrix plugin present.

Response headers from the failed requests:

Cache-Control:private
Content-Encoding:gzip
Content-Length:9850
Content-Type:text/html; charset=UTF-8
Date:Wed, 10 Jan 2018 01:47:45 GMT
Expires:0
Persistent-Auth:true
Server:Microsoft-IIS/7.5
Set-cookie:authrequired=
Vary:Accept-Encoding
X-Powered-By:ASP.NET

It is interesting to note the addition "Strict-Transport-Security" header in the request that works.

[apschultz]

Sorry for the spam. It just occurred to me I've been answering the wrong question.

The response has 2 meta tags:

meta http-equiv="Content-Type" content="text/html; charset=UTF-8"
meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1"

[gorhill]

The only thing uMatrix does to these response headers is as follow:

Cache-Control:private
Content-Encoding:gzip
Content-Length:9850
Content-Type:text/html; charset=UTF-8
Date:Wed, 10 Jan 2018 01:47:45 GMT
Expires:0
Persistent-Auth:true
Server:Microsoft-IIS/7.5
Set-cookie:authrequired=
Vary:Accept-Encoding
X-Powered-By:ASP.NET
Content-Security-Policy-Report-Only: ...

That is, to simply add a Content-Security-Policy and/or Content-Security-Policy-Report-Only header according to how uMatrix is configured. Nothing else is done to these headers, and uMatrix does nothing with the response data itself, that is out of uMatrix's reach.

Given this I think you should submit an issue to Chromium devs -- but they will also have difficiculty dealing with a non-reproducible case on their side.

Are the frames for which you have garbled data https? I thought it might be an encoding issue, but given this seems related to Strict-Transport-Security, now I wonder if the garbled data is un-decrypted encrypted data.

[apschultz]

Yes, all the frames are accessed over https.

[embix]

We have the same render issue for multiple locals sites (TFS/https, other IIS webprojects even with http and without iframes). Common demoninator so far is Chrome/uMatrix/IIS hosted.

update: I suspect Windows Auth to be also involved as I cannot reproduce the issue on IIS/http/noauth Sites. Funny thing is that reloading/F5 in most cases produces correct output.

[embix]

The browser is at least part of the problem but everything is fine, once you disable all extensions in chrome.

[gorhill]

The browser is at least part of the problem but

Extensions use the browser API. Please report to Chromium devs, there is nothing uMatrix is doing to cause this garbled data.

[embix]

As suggested I filed an issue in the chromium bug tracker.

Feel free to contribute there - We all want that bug fixed.

[th0ma5w]

Maybe you can add the ability or give some clues as to enable / disable this option? Is there an archive of old plugin versions as well somewhere? Perhaps I could just switch to an older version. This issue makes my browser fairly unusable.

[gorhill]

@th0ma5w On what site(s) do you suffer the issue?

[th0ma5w]

Sorry, I did find *.18 and reverted to that. My organization uses a MS proxy, which given the various other issues seems to be the culprit... if any request to any site has some additional header that it may or may not expect, it stops working well at all. HTTPS sites work as the proxy doesn't seem to see those, but redirects from non-HTTPS links break, and all in all it made for a very wonky experience. *.18 seems to work fine, however.

[gorhill]

My organization uses a MS proxy, which given the various other issues seems to be the culprit... if any request to any site has some additional header that it may or may not expect, it stops working well at all.

Aren't you referring to request headers? uMatrix may modify only the following request headers, according to your ruleset:

• Cookie: will be removed if cookies are blocked for the destination.
• Referer: will be modified if "Spoof HTTP referrer string of third-party requests" is enabled in the relevant scope.

In any case, I just added the raw setting disableCSPReportInjection in 1.2.1rc0, default to false. Set to true to prevent injection/modification of Content-Security-Policy-Report-Only in response headers. (documentation)

[th0ma5w]

Sorry for the delay in responding. With this setting set to "true" the browser behaves normally. The response header is not present.

When set to false, I typed in "feedly.com" (although many other sites behave like this) and immediately received a "407" blank page. I didn't capture the headers at this point, but when I again typed in "feedly.com" into the same tab, it loaded and the response header was present as "Content-Security-Policy-Report-Only:worker-src 'none'; report-uri about:blank"

I then tried opening a new tab, Chrome's Google plus recent sites content is shown, I enabled the developer tools, selected network, and then selected preserve logs. I then typed in news.ycombinator.org and everything worked. However, the Content-Security-Policy-Report-Only header was not present.

I repeated the same process, new tab, enabled developer tools, preserve log, typed lite.cnn.io ... this time, I received a blank page. It appears to be a redirect, however, the redirect is not followed and the page does not render. Below are the complete headers, except censored a little to hide organizational details that are probably not relevant. It doesn't appear that the new header is present in the response, but the browser behaves incorrectly and doesn't follow the redirect.

Request URL:http://lite.cnn.io/
Request Method:GET
Status Code:301 Moved Permanently
Remote Address:192.168.XXX.XXX:8080
Referrer Policy:no-referrer-when-downgrade

Response Headers
view source
Accept-Ranges:bytes
Age:1
Cache-Control:max-age=60
Content-Length:0
Date:Fri, 12 Jan 2018 18:18:40 GMT
Fastly-Debug-Digest:XXXXXX8e6ae07f09ce38dab7ed348bd59b064485915c69a5147e45a2ef0576a7
Location:/en
Proxy-Connection:Keep-Alive
via:XXX
X-Cache:HIT, MISS
X-Cache-Hits:1, 0
X-Served-By:cache-iad2140-IAD, cache-ord1746-ORD
X-Timer:S1515781121.564984,VS0,VE19

Request Headers
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.9,it;q=0.8
Host:lite.cnn.io
Proxy-Connection:keep-alive
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/63.0.3239.132 Safari/537.36

Again with the setting as true, everything behaves normally, although the header is not present.

[gorhill]

@th0ma5w So given your findings, would the issue be more accurately described as follow?

"When using a proxy, an extension modifying the response headers may cause Chrome to parse improperly the response body"

[th0ma5w]

That's perhaps about the best I could do... I feel like there's something about the state machine of request - response - render cycle that is being preempted somehow. I do agree with your sentiments elsewhere that it is probably something that the browser should support, and indeed does provide an api for, but is not working in practice. I know browsers are more like a rumor than they are a designed product, so perhaps the sum accumulation of tricks needed to make everything work breaks when certain things are modified in flight... almost like a threading race condition or something. Best of luck with this, and thank you so much for your prompt responses, and honestly, the best feeling of web browsing control I've ever had thanks to this extension.

[SergeiShir]

Hello.

I started to suffer from the exact same issue after Chrome got updated to its latest version (63.0.3239.132 Official Build 64-bit) and uMatrix 1.2.0:

1. My company's intranet web site displays garbled text in one frame (example: �����Vmo�6���_�������l��G��f��/]��a�h)
2. Many links on the company's intranet web site now misbehave:
   Object Moved - This object may be found
3. Working in Incognito mode, or disabling the uMatrix extension resolves the issue
4. I attached these files Files.zip:
   A) Chrome - Dev Tools - Incognito mode - frame without garbled text.png
   B) Chrome - Dev Tools - Usual and Incognito mode - raw HTML for the problematic frame.png
   C) Chrome - Dev Tools - Usual mode - frame with garbled text.png
   D) Chrome - Dev Tools log.txt
   E) uMatrix - logger.txt

[gorhill]

@SergeiShir please report your findings on the Chromium issue, as said issue is not uMatrix (it could be your proxies too I suppose?), uMatrix just add one header using webRequest API, as allowed by the API.

If people reports on the Chromium issue, it has more chance to be looked at (star it too). I will lock this issue because just adding "me too" to it does not help to have it resolved.

Meanwhile, workaround is this.

[gorhill]

One extra bit of information which could be useful: Can you reproduce the same issue with uMatrix on FF57+? (with disableCSPReportInjection set to false of course)

[apschultz]

With all default FF settings and umatrix set to allow all, I cannot reproduce this. Where/how to I set disableCSPReportInjection to false to verify?

[gorhill]

disableCSPReportInjection is false by default.

So this further confirm a browser bug.

[apschultz]

Absolutely agree this is browser specific if not a problem in Chrome.

It also appears to be platform independent. As noted earlier, I can reproduce with the latest Chrome in ubuntu. I just tried with the latest FF in ubuntu and cannot reproduce the issue.

[Monter]

Why do you suggest that this is a Chrome problem and not your plugin since version 1.1.20 works correctly? The problem only occurs with HTTPS websites and may result from modifying the content by the plugin. Try this:[hidden]
As I wrote earlier, after refreshing the page, the right content appears.

EDIT:
Setting disableCSPReportInjection to true solves the problem.

[embix]

problem only occurs with HTTPS websites

@Monter The problem is not limited to HTTPS. I can reproduce the problem with HTTP+winauth with a site in staging (In production you'd use auth with https, http+auth is a rare scenario nowadays).

[gorhill]

Reportedly fixed in Chromium 66: https://bugs.chromium.org/p/chromium/issues/detail?id=801237.