-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
task: update wiki [CSP clashes eg 1xCB setting & uM] #497
Comments
RFP is always on so I have to rely on it. |
CanvasBlocker like uMatrix, uses CSP-Headers to filter contents. |
CSP in CanvasBlocker is only used for blocking data: URIs. |
No, I'm talking about "Block data URL pages" under "Misc" - uncheck that and CB doesn't interfere with other CSP modifying extensions like uBO, uMatrix, NoScript etc |
That's weird. but I will run some tests and get back to you. |
@earthlng
result: CanvasBlocker interferes with uMatrix.
uMatrix 1.3.14 |
that's the problem. see #497 (comment) |
Indeed, that's the solution but correct me if I am wrong ... I thought that setting is for data URIs like
Why is that setting propagate to inline scripts ? |
No, but More than one extension does it. And this raises issues that Mozilla folks will never solve IMHO.
Both extensions do work properly, but the outcome respects the 2nd extension (that overwrites the modification of the 1st one). |
contrary to what @Atavic claims, AFAIK no it's not possible to block Canvas API with FF prefs.
well, if uBO for example suddenly allows inline javascript when it should actually block it, I wouldn't say "Both extensions do work properly" but maybe that's just me
it is.
it's not. 1 extension uses CSP to block inline scripts and the other uses CSP to block data URIs - only 1 can win |
Edited the previous reply. To me these are chained issues e.g. the last extension wins, while both extensions do work. |
That means CanvasBlocker adds the CSP header by default, without scanning the document for data URIs . That makes sense ... why wasting time..? I guess that was my blind spot. I'm sure that many of those who are using CanvasBlocker are also using some sort of content filters like uMatrix. So using Isn't that a case for the Wiki ? |
Well it's not that easy and I don't think you can explain the issue in 2 sentences. And a lot of people will have no idea which addons can interfere with each other. Do we really want to go there and risk getting tons of questions from people about which of their addons might interfere? |
AFAIK you need to disable and enable the one you want to win, not the other way around. |
The order is
So, if you have an ESR version with updates disabled the order is static. |
I don't know if the order is fixed. AFAIK all extensions are started in parallel and whichever takes the longest to load will win. Unless of course they use some workaround to make sure they always win like NoScript does for example. |
Order varies with updates and is set by install time. |
try https://1337x.to/home/ - if you see the content, chances are inline script wasn't blocked. If you block everything in uBO AND uMatrix then it's probably not an issue but I prefer to do all my JS blocking with uMatrix only for simplicity because I don't want to unblock everything twice. Font blocking is better done with Request Control for example - that eliminates one of the potential CSP interferences that uBO can cause. But again, if you want to allow fonts on a bunch of sites it's getting a bit annoying to configure that with RC. Since I don't do that it's fine for me. and the whole issue is not just affecting CSP. fe blocking cookies with uM or something else will also interfere with WebAPI Manager. I'm sure there are countless other problematic combinations as well |
Why don't you use uBlocks static filter ? block third party font block third party fonts / exclude aaa.com, bbb.com...etc |
yeah that should work as well. blocking fonts with RC also seems to block fonts embedded as data: URIs. Don't know if a uBO static filter also does that. I guess it depends what one prefers. Since I already used RC for other things as well I just went with that.
It's probably not worth the hassle tbh. If you don't block 1st party (inline) scripts with uBO you might not run into too many problems. But uBO also supports csp-overwriting rules and if uBO "wins" against uM then it can lead to JS being allowed in some cases. That's why I use a customized version of uBO that makes sure the CSP is never touched by uBO. But since I most likely won't be able to get it signed and you can't use unsigned addons in FF Release there's no point in discussing my custom uBO any further. |
yes you can repeat the line. The rule only blocks third-party fonts though, IDK if that's what you want. |
if you want to block all fonts, 1st- + 3rd-party, except for a few chosen sites I'd add the
|
just change |
|
CSP is not used for blocking fonts with that switch, CSP in uBO is used for blocking inline-scripts and for CSP-esque filters.
It's already there
|
Sure, you can use
Yes, they're blocked by types, font is a category of network request which uBO listens through webRequest API, just like script, xhr etc... Also whenever CSP is enforced the policy will be mentioned in the console, you can look it up in dev tools on a website where CSP is enforced.
Filters with |
If you want to allow first-party and block third-party you will need to use filters, the switch blocks all or allows all only. Dynamic Filtering takes precendence over Static filtering, you're using both, don't do that. |
Combine those two in one with
|
Yes stick with rules, there's no CSP involved here. |
CSP is used to block inline ( I checked this briefly two weeks ago and uMatrix uses CSP for blocking inline script and workers, uBO for no-scripting, inline scripts, (inline) fonts and network filters with $csp=... option. |
So why isn't the policy mentioned in the console like it does when you block inline-scripts ? |
sorry I was wrong, you can't use multiple lines with filters like that. It only uses the last one ie the exceptions in the 1st rule won't work and fonts will be blocked on amiunique.org, imgur and gitlab.
@gwarser & @uBlock-user |
Ouch, "console". Do you have any test page?
Interesting. I see entry for inline scripts in console even if no script exists in page. Nothing for fonts. Dirty profile - message is shown only when something is really blocked. |
could be content scripts and/or possibly userscripts injected by extensions |
@earthlng I agree about the overwriting part, Easylist and some others like Fanboy has been pain in the ass ever since gorhill introduced CSP as those maintainers started writing policies without testing thoroughly, I have to use |
Nevermind, I tested on https://getbootstrap.com/docs/3.3/css/ and it tried to load an inline-font and CSP was enforced as below Actually everything that is loaded inline can only be blocked by CSP. |
@gwarser |
I'm glad you agree. I think there should be a setting (maybe under Advanced) to disable these CSP-esque filters or they should just be ignored in 3rd-party lists and only allowed in "My Filters" and if necessary in uBlock's own lists (maintained by gorhill and you guys?). If that's too much to ask or too hard to implement then maybe it would be better to at least let built-in policies (like script and/or font-blocking) take precedence over filter-based policies Additionally to that it would also be nice to have another setting to completely disable CSP modifications, possibly with a strong warning not to use it unless someone understands exactly what that means. @gorhill mentioned in another issue here that he's willing to do it but just didn't have the time to do it yet. |
If you already have an well thought idea, then suggest it on the tracker. Make sure to detail it though.
It already does, all dynamic rules take precendence over static filters.
Can't push any further when he already said he would, it's on his mind along with numerous other tasks for this extension. |
Is it possible to block the Canvas API with FF prefs ?
The text was updated successfully, but these errors were encountered: