Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Block Data URL pages" doesn't seem to be affected by whitelist #313

Closed
BurnyBoi opened this issue Feb 4, 2019 · 6 comments
Closed

"Block Data URL pages" doesn't seem to be affected by whitelist #313

BurnyBoi opened this issue Feb 4, 2019 · 6 comments

Comments

@BurnyBoi
Copy link

BurnyBoi commented Feb 4, 2019

I'm currently using uMatrix to block JavaScript on https://invidio.us, and I noticed that when I have "Block Data URL pages" enabled, the comments don't appear below the video. I have to disable "Block Data URL pages" in order to get around this.

However, I don't want this off for all sites, so I tried to add "invidio.us" to the whitelist field instead. However, this doesn't seem to affect the comments not showing.

Description

It looks like the "Block Data URL pages" setting is not affected by sites on the whitelist. I think having this would help in cases like this where "Block Data URL pages" actually affects the behavior of a specific web site.

Expected Behavior

If I am visiting a site on the whitelist, then "Block Data URL pages" should not activate for that site.

Possible Solution

Check if "Block Data URL pages" looks at the whitelist before activating.

Steps to Reproduce (for bugs)

  1. Use uMatrix to not allow JavaScript on https://invidio.us
  2. Ensure CanvasBlocker is enabled, with "Block Data URL pages" on
  3. Go to an Invidious video page with the "nojs=1" parameter.
    (example: https://invidio.us/watch?v=VeLvdE8lNW4&nojs=1)
  4. Check below the video description to see if the comments appear.

Context

This issue makes it so I have to disable this setting for every site I go on, rather than one specific site in order to get the expected functionality on Invidious. I was able to reproduce this issue on a fresh profile where only uMatrix and CanvasBlocker were installed.

Your Environment

  • CanvasBlocker Version used: 0.5.7
  • Firefox version incl. 32- or 64-bit: 65.0
  • Operating System and version (desktop or mobile): Arch Linux
  • Installed addons: https://imgur.com/a/zLhbKcx

Your Settings

{
"logLevel": 1,
"urlSettings": [
{
"url": "^https://www\.google\.com/recaptcha/api2/(?:b?frame|anchor).*$",
"protectWindow": false
}
],
"hiddenSettings": {},
"expandStatus": {},
"displayHiddenSettings": false,
"whiteList": "skribbl.io,invidio.us",
"sessionWhiteList": "",
"blackList": "",
"blockMode": "fake",
"protectedCanvasPart": "readout",
"minFakeSize": 1,
"maxFakeSize": 0,
"rng": "nonPersistent",
"protectedAPIFeatures": {},
"useCanvasCache": true,
"ignoreFrequentColors": 0,
"minColors": 0,
"fakeAlphaChannel": false,
"persistentRndStorage": "",
"persistentIncognitoRndStorage": "",
"storePersistentRnd": false,
"persistentRndClearIntervalValue": 0,
"persistentRndClearIntervalUnit": "days",
"lastPersistentRndClearing": 1549321056400,
"sharePersistentRndBetweenDomains": false,
"askOnlyOnce": "individual",
"askDenyMode": "block",
"showCanvasWhileAsking": true,
"showNotifications": true,
"highlightPageAction": "none",
"highlightBrowserAction": "color",
"displayBadge": true,
"storeNotificationData": false,
"storeImageForInspection": false,
"ignoreList": "",
"ignoredAPIs": {},
"showCallingFile": false,
"showCompleteCallingStack": false,
"enableStackList": false,
"stackList": "",
"protectAudio": true,
"audioFakeRate": "100",
"audioNoiseLevel": "minimal",
"useAudioCache": true,
"audioUseFixedIndices": true,
"audioFixedIndices": "16",
"historyLengthThreshold": 2,
"protectWindow": true,
"protectDOMRect": true,
"domRectIntegerFactor": 4,
"blockDataURLs": true,
"displayAdvancedSettings": true,
"displayDescriptions": false,
"theme": "default",
"dontShowOptionsOnUpdate": false,
"isStillDefault": false,
"storageVersion": 0.5
}
@BurnyBoi
Copy link
Author

BurnyBoi commented Feb 5, 2019
edited
Loading

I just tried messing around with the site-specific settings as well to see if I could get around this, and haven't had much luck. Here are my settings which is trying to disable blocking data URLs for that specific video page above:

{
	"logLevel": 1,
	"urlSettings": [
		{
			"url": "^https://www\\.google\\.com/recaptcha/api2/(?:b?frame|anchor).*$",
			"protectWindow": false
		},
		{
			"url": "^https://invidio\\.us/watch\\?v=VeLvdE8lNW4&nojs=1$",
			"blockMode": "allowEverything"
		}
	],
	"hiddenSettings": {},
	"expandStatus": {
		"blockMode": true,
		"protectedCanvasPart": false
	},
	"displayHiddenSettings": false,
	"whiteList": "skribbl.io",
	"sessionWhiteList": "",
	"blackList": "",
	"blockMode": "fake",
	"protectedCanvasPart": "readout",
	"minFakeSize": 1,
	"maxFakeSize": 0,
	"rng": "nonPersistent",
	"protectedAPIFeatures": {
		"toDataURL": false
	},
	"useCanvasCache": true,
	"ignoreFrequentColors": 0,
	"minColors": 0,
	"fakeAlphaChannel": false,
	"persistentRndStorage": "",
	"persistentIncognitoRndStorage": "",
	"storePersistentRnd": false,
	"persistentRndClearIntervalValue": 0,
	"persistentRndClearIntervalUnit": "days",
	"lastPersistentRndClearing": 1549324788600,
	"sharePersistentRndBetweenDomains": false,
	"askOnlyOnce": "individual",
	"askDenyMode": "block",
	"showCanvasWhileAsking": true,
	"showNotifications": true,
	"highlightPageAction": "none",
	"highlightBrowserAction": "color",
	"displayBadge": true,
	"storeNotificationData": false,
	"storeImageForInspection": false,
	"ignoreList": "",
	"ignoredAPIs": {},
	"showCallingFile": false,
	"showCompleteCallingStack": false,
	"enableStackList": false,
	"stackList": "",
	"protectAudio": true,
	"audioFakeRate": "100",
	"audioNoiseLevel": "minimal",
	"useAudioCache": true,
	"audioUseFixedIndices": true,
	"audioFixedIndices": "28",
	"historyLengthThreshold": 2,
	"protectWindow": true,
	"protectDOMRect": true,
	"domRectIntegerFactor": 4,
	"blockDataURLs": true,
	"displayAdvancedSettings": true,
	"displayDescriptions": false,
	"theme": "default",
	"dontShowOptionsOnUpdate": false,
	"isStillDefault": false,
	"storageVersion": 0.5
}

@Thorin-Oakenpants
Copy link

the option Misc > Block data URL pages uses CSP header injection - as do many other extensions. When multiple extensions (e.g. uBO, uMatrix, NoScript) use CSP header injection/modification, only one wins. Predicting the winner is like rolling a dice - read this comment (also see #497 - read this tread)

@BurnyBoi
Copy link
Author

BurnyBoi commented Feb 5, 2019

Ok, that makes sense, however, is it possible to disable using this when visiting certain sites?

@kkapsner
Copy link
Owner

kkapsner commented Feb 5, 2019

Currently there is no way to disable it for certain sites. The code for this is run at every page load and therefore I want it to be as fast as possible. Adding the check for some sort of whitelist adds a performance penalty I'm not sure I want to pay.

Actually this blocking is a workaround for #208 which only Mozilla can fix.

But as uMatrix provides more protection in that scenario I would suggest to disable and reenable uMatrix so the CSP headers set by it always win.

You also have to make sure that this loading order is kept after a browser restart.

@BurnyBoi
Copy link
Author

BurnyBoi commented Feb 5, 2019

Thanks for the suggestion. After disabling then re-enabling uMatrix, the comments issue is now resolved. This is a fine workaround. I usually leave my desktop on with the same browser window open 24/7 any way. Thanks again!

@BurnyBoi BurnyBoi closed this as completed Feb 5, 2019
@kkapsner
Copy link
Owner

kkapsner commented Feb 7, 2019

You're welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kkapsner @Thorin-Oakenpants @BurnyBoi