uMatrix WE problem in combination with other WEs [Bug 1417249, 1477696, 1421725...] #265
Comments
Were 1st-party scripts blocked? |
|
Yes but I just re-tested with 1st-party scripts allowed and it's the same. |
|
tested in FF nightly 58 with uMatrix 1.0.1rc3 example addon: {
"name": "demo",
"version": "0.1",
"manifest_version": 2,
"background": {
"scripts": ["background.js"]
},
"permissions": [
"<all_urls>",
"webRequest",
"webRequestBlocking"
],
"applications": {
"gecko": { "id": "[email protected]" }
}
}background.js: function logResponse(e) {
for (let header of e.responseHeaders) {
if (header.name.toLowerCase() === "content-security-policy" || header.name.toLowerCase() === "test-test") {
console.log(e.url + "\n" + header.name+":", header.value);
}
}
}
function editResponseHdrs(e) {
e.responseHeaders.push({'name': 'Test-Test', 'value': 'Test123'});
e.responseHeaders.push({'name': 'content-security-policy', 'value': ''});
return {responseHeaders: e.responseHeaders};
}
browser.webRequest.onHeadersReceived.addListener(editResponseHdrs, { urls: ["http://*/*", "https://*/*"] }, [ "blocking", "responseHeaders" ]);
browser.webRequest.onResponseStarted.addListener(logResponse, { urls: ["http://*/*", "https://*/*"] }, [ "responseHeaders" ]);example testpage: https://gist.github.com/arantius/f6fd80b1efad368a45ca35567bc31b18 steps to replicate:
I added the test header because I was wondering if uMatrix overwrites all modifications another addon made but it seems to only affect the CSP one. At first I thought it might be because in my original addon I process the headers async but when I changed it to sync it didn't fix the problem. |
|
I am not seeing anything wrong with uMatrix -- it append its own However the behavior of the webRequest API does not match the documentation, specifically:
uMatrix sees the headers without your changes, and your extension sees the headers without uMatrix changes -- depending on whichever listener was first called. |
|
Yeah I guess that would explain what's happening. I assumed that mozilla's documentation is accurate but apparently not. If the behavior matched the documentation it wouldn't be a problem then, right? |
|
I have read a few times about the order of installation causing issues. Earthlng - have you tried installing uM and yur Ext in a TWO new profiles in the two orders possible to see if that makes a difference to which Ext beats the other? If that works for you, then try uninstalling (and removing all traces) and reinstalling the applicable extension (edit: in your main everyday profile) - not sure if it will work as FF often remembers stuff - I remember a ticket gorhill was concerned about where something has a hook on it - I think it was uBo prefetching/hyperlink/WebRTC settings or something. |
|
Even if that would work, every new addon update would probably fuck things up again. |
|
Every addon update reloads the background script(s) which re-registers the listeners, meaning the addon that just got an update ends up being the one that has the last word now, so to speak. Edit: kind of a bad example because there's a special API to deal with cookies but it can also be done on the request level by modifying the cookie header and in that case it could be a problem. |
Thorin-Oakenpants
changed the title
|
If possible, only one extension should change a specific header to avoid any problem. pyllyukko/user.js#348 |
|
Looks like they're not gonna fix this and instead will just change the documentation: That means it will always be like rolling a dice, and every time you start FF you'll roll the dice again. Roll the dice and hope for the best, I guess 🤦♂️ |
|
At least Chromium reports conflicts to users, that's the least Firefox could do to bring awareness of possible incompatibility between extensions. Imagine an extension which relax CSP directives[1] after NoScript/uMatrix made them more strict -- surely a user would want to know a security/privacy extension is prevented from working properly because of some other extensions.
Sure, but extensions changing CSP header is quite a serious use case. [1] I think Tampermonkey does this. |
It's for request/response headers. "Cookies" is mentioned because the case brought forth was about the |
Difficult to tell exactly, I would have to know exact URL + extensions and their configuration. It seems some in there are caused by uBO redirecting Google Analytics script to its neutered version. |
|
And once again the argument is performance. I'd think users would prefer that their addons work as expected but what do I know. |
How do you two guys feel about putting this out in front via a ghacks article. Seems pretty serious to me Edit: put some pressure on? We'd need a decent example of security/privacy failure or extension failure |
|
I only get a warning on my side with uBO + uMatrix: With uBO + uMatrix, and this one is because of the "Forbid web workers" setting in uMatrix (warning occurs whether workers are blocked or not). I don't know where the other errors/warnings come from. |
|
@gorhill you could setTimeout + re-register the listeners in the background script of uMatrix to somewhat make sure it's always the winner but that would only work as long as other addons don't start to do that as well. It would also not guarantee that uMatrix keeps having the last word when new updates of other addons are installed. You could do it in intervals but that would only make things even worse if others start doing the same thing, because it would continuously roll the dice during a session and not just on startup. uBO with only a |
|
^^ its Violent Monkey, which I only use for our three global scripts in the wiki |
Well, a |
|
Pants, if you want to test then check what gorhill alluded to regarding Tampermonkey. But please don't take this to ghacks! I still have enough faith in the mozilla devs to think that they'll do something about it when @gorhill is the one telling them how bad this is. |
well now I feel stupid, thanks xD |
|
@gorhill I found a site that illustrates the problem (or at least 1 problem): https://1337x.to/home/ Tested with the latest Firefox Nightly and the latest uBlock + uMatrix versions CSP when uBlock comes after uMatrix (= disable + re-enable uBlock to achieve that) : umatrix comes last (= disable + re-enable uMatrix) : I've already disabled "i'm an advanced user" which I thought might have something to do with it, Questions:
And if you don't mind, can you explain why uMatrix is using |
No. I will add an advanced setting in uBO to disable completely CSP header injection/modification.
Yes, filters with
No issue here. uBO blocks the
Because the rule related to that CSP directive is to block use of inline-script tags, not
To be able to enforce the filters such as |
@gorhill have you had the time to implement this yet? I looked through all your release notes but couldn't find anything related.
I assume this is used to detect if workers are used, right? Anything else? Firefox recently added a new pref |
|
Sorry, not implemented. Yes, uMatrix uses security policy violation events to detect workers. I didn't know about Edit: related: https://bugzilla.mozilla.org/show_bug.cgi?id=1425993 |
|
You'll have to ask tartpvule - create an issue at his repo where everything in the one place |
I already created with no awaser yet, i will wait. |
|
Hi, @tartpvule wrote the patch based on the ESR code and it might not necessarily work in newer versions, or the underlying code could have changed in subtle ways or it might break with any future release. create a file // Any comment. You must start the file with a single-line comment!
pref("general.config.sandbox_enabled", false);
pref("general.config.filename", "monkey_Bug1421725_WebRequest.cfg");
pref("general.config.obscure_value", 0);and place the monkey_Bug1421725_WebRequest.cfg file in the root Firefox path (where firefox.exe is located). FYI disabling the autoconfig sandbox with hope that helps :) |
|
@Renan19 see the issue in my repo. |
|
@earthlng @tartpvule |
I don't remember but I'm pretty sure I did. I had also tested it with a modified version of your script that didn't read the prefs and instead used hardcoded values but that didn't work either.
I just tested it again and REQUIRE_SIGNING is false with the patch and true w/o it. Ran it on both about:config and about:addons and the values are the same ie it should theoretically allow me to install unsigned extensions but it doesn't and IDK why. Maybe something to do with lazy loading of components that they changed since ESR or FF somehow keeping a cache of the values, I have no idea. |
|
@earthlng Thank you for pointing out the problem |
|
from Jan 2018 #265 (comment)
It wasn't me: https://www.ghacks.net/2019/05/23/firefox-csp-issue-may-cause-extension-conflicts/ But given that HTTPS-E are aware of the issue, and that extension is used in Tor Browser, and given that it finally got an issue at uBlock-issues, and some other external factors - it seems as if KM is considering doing something about it. Just watch the relevant bugzillas |
|
I don't get it. WTF is wrong with people. A non-event such as a pref to control
r/Firefox usually has some knowledgeable rational and well spoken people - but I can't understand why no-one has picked up on it. Are they all |
|
why are you confused @gwarser, or is that just the best of a limited set of emojis you could choose ? I don't expect everyone on r/Firefox to understand the ramifications of this bug, but not a single person has commented, and yet they're always happen to discuss in depth technical issues about other security issues. Isn't anyone there concerned that their extension can often not work as expected? Extensions that help security, tracking, FPing ... I think I'll do a Wonko the Sane and build an inside out house called The Outside of the Asylum to house the world. I shall live inside it and any of you are welcome to come visit (if you are sane) |
https://old.reddit.com/r/firefox/comments/btvixo/firefox_bug_causes_addons_ublock_origin_https/ this thread seems to be getting a bit more traction and has a more informative headline |
|
Well, I kept track of that for all of 8 hrs. It trended up very quickly into second place on hot (after the PSA userChrome thing which I think is a sticky). 251 points, 35 comments. It was there when looking at new items in its right place. Now you can't find it unless you know it exists. It doesn't even show when looking at items in chronological order. r/Firefox, AFAIK, has demoted it so it doesn't show. And it has now died and nothing has changed for over an hour. |
|
yup .. shadowbanned. I don't understand why? People are now asking why it's shadowbanned. FFS, do they not want a better product? Fucking jerks. For some reason they've always hated this repo and associated it with the Mozilla haters at ghacks itself |
|
It just popped back up, but it was definitely shadowbanned for a few hours. Maybe there was disagreement among the mods of the sub. Still very disappointing to see that suppressing information about a bug is on the table at all. |
|
I guess its par for the course (I don't hang around and read these sorts of things) but 2/3rds of the comments are off topic - I guess you get that with everyone wanting to chime in and bitch about something, and/or lack of knowledge |
|
OMFG ... https://bugzilla.mozilla.org/show_bug.cgi?id=1462989#c24
First of all, only one comment was marked advocacy - five days ago. No-one has said anything on the bug for over 3 days. WTF? Way to win friends and influence people. Fucking bollocks. I don't care about looking backwards, I just want the problem addressed. But they seem to have their mind somewhere else right now. WTF?! |
|
Instead of begging Mozilla on our knees wouldn’t it make more sense to
I know, it’s a tall order, but at least it seems a way forward. |
|
I considered that idea a long time ago, but there would be more than a few problems with that, technically speaking... It can be done, but it wouldn't be easy for extension developers to adopt in the least. They would need to make pretty extreme changes to their respective extensions and, even then, that approach wouldn't allow them to do some of the things they can do now. It's not worthwhile. |
|
I just developed a new experimental patch for Bug1421725 against mozilla-central, not yet extensively tested. |
|
@tartpvule: I've tested the monkey-patch version and it seems to work. I've got a relatively small test case that I used to verify it:
do you have intentions of submitting this patch to mozilla? (please do!) |
|
@girst Thank you for your interest in my patch. Oh well, back to maintaining private patches and builds I guess. |
Yes, that is shame, I really don't know what is the hold reason at Mozilla... 😞
... and performance for sure its not the real reason. |
|
On Sat, Jul 27, 2019 at 09:58:46AM -0700, tartpvule wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=1421725
The patch was rejected, as expected, citing performance reasons :(
missed that, thanks! this sorta-WONTFIX is just the worst response--i
can't even see any perf tests (they should have the infra) linked in the
bug report, while multiple people have shown multiple problems this
causes :|
Oh well, back to maintaining private patches and builds I guess.
I've gone to great length avoiding that--including patching omni.ja.
recently, I've managed to confine my modifications into AutoConfig[1]
[1]: for reference to who else might need it: https://gir.st/blog/legacyfox.htm
|
|
@tartpvule |
|
@M83tUt3 After ESR68.1 is released and I finalized my private build, I will update my Firefox patches repo with updated instructions. |
|
... aaaaand now they changed the docs edit: FYI: @gorhill @gwarser @uBlock-user |
|
^^ lamest way to do it. 😢 |
@gorhill, I found a problem with uMatrix in that, depending on the order in which FF loads the addons, uMatrix "restores" the Content-Security-Policy header when another addon already changed it or removed it completely. Maybe other headers are affected as well, IDK.
uBO doesn't have the same problem so I assume you already fixed it there.
Since you closed your Issue tracker for uMatrix I didn't know how else to contact you. If you're interested let me know, I have a simple example addon ready to share and the steps to reproduce. Thanks
The text was updated successfully, but these errors were encountered: