uMatrix

uMatrix copied to clipboard

Given the increasing number of vulnerabilities afforded by allowing JavaScript to run on insecure sites, I think it would be useful if uMatrix (or uBO, I use both) could forbid scripts to run on non-HTTPS sites (with an option to allow it for specific scopes, of course). This would effectively be a new toggle alongside Referrer Spoofing and Strict HTTPS, I would think.

See also https://github.com/gorhill/uMatrix/issues/515

The feature suggested here is merely adding a per-site switch to existing infrastructure/UI, #515 is a grand rewriting of the extension core- and UI-wise.

The problem is that many pages are served with mixed content and by disallowing the non-https parts some do not work properly. Even integrating this new toggle those pages will give errors.

Errors, shmerrors — mixed content can be a massive security risk and I would rather get an error (and either avoid or whitelist that site) rather than not be able to do anything about it.

mixed content can be a massive security risk and I would rather get an error

That was not your original issue. Browsers already block scripts from non-encrypted connections for content pulled from encrypted connections: a script http://example.com/script.js pulled from within https://example.com/index.html will not be allowed by a browser.

That was not your original issue. Browsers already block scripts from non-encrypted connections for content pulled from encrypted connections: a script http://example.com/script.js pulled from within https://example.com/index.html will not be allowed by a browser.

I'm aware it was not my original issue, I was responding to @Atavic — and I'm a little confused,, now. If it's the case that such scripts are already blocked in the mixed-content case, then how is this toggle causing errors even a concern at all? One could cause those errors by disabling scripts on any given site, mixed content or not, and it's up to the user whether or not they want to deal with them, as with any sort of content-filtering extension, no?

@Celti Sorry I wasn't clear. Javascript vulnerabilities are exploited by malicious websites which are offered either with http and https so the proposal of adding a new toggle will give more site usability issues, while the security won't be improved.

@Atavic my understanding is that the concerns here are about MITM. Even some ISPs have been caught inserting their own javascript.

The Logger comes handy, maybe it could have a sensitivity threshold that warns when an uncommon number of behind-the-scene events happen?

I for one would love to have this feature. @Atavic you could just have the toggle globally off if you don't want to use it, so it wouldn't necessarily cause usability issues. Implementing a - rudimentary - IDS in uMatrix (what your suggestion essentially boils down to) is a bit out of scope for the extension imho (and far from a foolproof method anyway, with a huge potential for both false positives and false negatives).

The threshold should be modifiable by the user, as the score in Karma Blocker

In uBO:

||http://*$script,important

||http://*$script,important

The double-pipe || is to anchor to a domain label, it makes no sense to use it in front of https:// or even to use it like ||*. This is the right filter in uBO:

|http:$script,important

Typo on the double |, sorry. Didn't know you could omit the * in that case though. Thanks!

The toggle would be useful, but since you can do this with uBO pretty easily, I would say this is low-prio. You can even add an entry to the uBO's wiki with this snippet.