Discussion in 'other software & services' started by tlu, Oct 25, 2014.
Please, can someone explain to me what are the pros/cons of blocking third-party XHR's?
1. Blocks info sending such as event/location APIs, logging, error reports.
2. Reduces annoyances (to me) such as ranking/recommendation boxes, and some form of cookie banners. (EDIT: deleted as it's usually 1p XHR)
3. Prevents Magecart style attacks which even bypassed default-deny 3p scripts/frames.
Breaks many sites if you block it by default.
I might forget sth.
Thank you for your explanation @142395. Please, let me ask another question:
GorHill said that Scripts and Frames might be dangerous.
He also said that Frames can load without Scripts (java script).
So, that explains why third-party Scripts and Frames should be blocked.
But GorHill said that XHR's need Scripts to be loaded.
So please, I ask: If third-party Scripts are blocked, do we need to block third-party XHR's?
Indeed, looking at my filters in uBO to complement medium mode, I found most (if not all) of the cases 1 & 2 above were either first-party or nooped domains.
However, IIRC there were cases that variants of Magecart were implemented as 1p script. However, info sending to attacker's server was done via XHR (using a jQuery function). So at least the case 3 applies, but you won't get much benefit from everyday browsing - to get it you need to deny 1p XHR too, but with its own problem. Also, you sometimes need to allow script for a site to function, but may still wanna block XHR.
I clearly can understand that third-party Scripts/Frames might be dangerous. Blocking them breaks stuff, but in the other hand is clear the gain on security/privacy.
What I'm trying to understand now, is the gain of blocking XHR's.
Has XHR's the same potencial damage level that Scripts/Frames have?
Your explanation was great, and please correct me if I am wrong, but at first sight it seems that blocking third-party Scripts may block not all, but most of the third-party XHR's.
I understood that everything (as Magecart) unblocked at first-parties may exploit unblocked third-parties. But definitely I'm not going to block everything.
UBlock Medium Mode allows third-party XHR's (it blocks only third-party Scripts/Frames). Curiously, UBlock jumps from Medium to Hard where all third-parties are blocked. Nothing intermediary, like blocking third-parties XHR's before blocking everything. So who knows, may I assume that GorHill thinks that third party XHR's don't need to be blocked, perhaps because blocked third-party Scripts already take care of XHR's?
Well, nobody knows what kind of threats we'll face tommorrow and it's all comes down to one's sense of balance (gorhill has a good sense IMO and I think his message is clear: if you want more granular ctrl than medium/hard mode, use uMatrix). What I can do here is summarizing what I'd written in other threads.
Default-deny frame blocks all click-jacking and many but not all CSRF, while default-deny script blocks many XSS, Magecart style attacks, and memory corruption exploits, but again not all. XHR can be used not only for Magecart but also for CSRF (in HTML5), while memory corruption which doesn't escape sandbox may also abuse XHR to steal sensitive info if strict site-isolation was not applied.
It's certainly possible to implement XSS, Magecart, or memory exploit as first-party. On an attacker's perspective, 3p XSS has advantage of fully-automated attack (w/ help of CSS). Many of Magecart-style attacks abuses third-party resouces, but those abusing a vulnerable WordPress plugin can be first-party as most of WP plugins are located under (the site domain)/wp-content/plugins/(plugin name). For memory exploit, this water-hole attack could be prevented if you block 3p script. For more 'common' threats, this case was prevented by blocking 3p script too; however, in these 'noname' scam series I've observed other patterns that a malicious redirect was implemented as an inline-script.
As to the aformentioned case 1, I found video.9tsu.com makes XHR to comnewsupdate.info even when you block all 3p scripts, as it's launched via 1p script. Also this site makes many XHRs to socdm.com, bigmining.com, ad-m.asia, treasuredata.com, etc. despite 3p script are blocked, yet not on the first visit but only after some conditions are met. So blocking 3p script doesn't necessarily prevent 3p XHR, but will reduce it.
All in all, I personally don't think default-deny 3p XHR is worth doing unless you don't feel fixing problems pain. Most ppl won't block 3p images even knowing they can be used for tracking pixels and there was memory exploit w/ image in past (images can also be used for CSRF, and surprisingly, some tricky XSS too). I switched to uBO only around 2-3y ago in pursuit of less work of making rules. But I understand other people can use uMatrix w/out trouble.
Excellent comment @142395 ! Thank you.
Also thanks for the links... I really enjoyed both, your comment and the links you attached.
Thanks to your help finally I'm starting to build my own conclusion about Scripts, Frames, XHR's etc.
In a positive way, I can see this can be an endless conversation, because is full of interesting information.
But I can't abuse from your patience, so I finish here my XHR' question.
However, please, I still have for you a last question: What about disabling ram memory cache? (in Firefox: browser.cache.memory.enable).
I've read a lot of comments warning about performance issues. But for the last 4 weeks I tested my browser without ram cache memory... and zero issues.
By the way, I also tested disabling disk cache, disabling DNS' cache, disabling prefetching, enabling First Party Isolation, Temporary Containers etc... and haven't seen issues... zero performance issues, and almost zero breakages.
IMO if you have a good internet connection + good computer, most of the caching functions seem to me avoidable.
Yeah, I don't deny caching benefits. I'm just saying that disabling caching in a good computer/internet connection, this may have low negative performance impact, while having good security improvement. Am I wrong?
But my question to you is specifically about ram memory cache.
IMO there are several privacy/security benefits by disabling that.
However, no one is recommending disabling that.
Please, can you tell me what am I missing here?
TBH I haven't dug that matter. I understand security concern of browser cache in general basically assumes physical access to the device (or malware, but then you have more problem than cache), which makes sense on mobiles and laptops or PCs on workplace but less on your home PC. A main privacy concern OTOH is about etag which can be and actually has been used to track users. I don't think there is any fundamental difference between disk and RAM cache in these aspects except RAM cache is more volatile and thus less problematic in security, unless the adversary uses cold-boot attack. Sure, if you have good connection and are using SSD for disk, cache won't make noticeable diff on speed.
... thanks again for your answer.
After your teachings, I was curious about 1st-parties exploiting 3rd-parties, and I learned a bit about CORS (Cross-Origin Resource Sharing). Just in case you are interested, the following add-ons are not the final solution, but they can minimize some exploits:
Currently I'm testing this one (named POOP): https://addons.mozilla.org/en-US/firefox/addon/privacy-oriented-origin-policy/
The general idea is to block 3rd-party Scripts/Frames (with UMatrix/UBlock etc), also to block 3rd-party cookies, no memory (disk/ram), and POOP in "relaxing-mode". This setup is not hurting my browser performance, after customizing Scripts I'm not seeing web-page breakages, and I believe this may minimize (a bit) 1st-parties exploiting 3rd-parties (XHR's, CSS etc).
The POOP author writes:
So I think that if you're using uBO in hard mode or uM in its default mode, there is not much left for POOP to do.
That said, using First-Party Isolation (see also this issue tracker) and/or Temporary Containers improves your privacy a lot.
If you follow my first comment above, you'll see that my main doubt was about allowing/blocking 3rd-party XHR's.
After good explanations/teachings/readings... I decided to allow 3rd-party XHR's.
At this scenario, the risk remaining was 3rd-party XHR's exploited by 1st-party.
And here is where POOP minimizes a bit this situation.
And yeah, I already use FIP, TC etc. But as I said, my doubt was basically about 3rd-party XHR's.
Thank you anyway for your comment!
Thanks, I didn't know such an extension exists tho I won't use it soon on my regular profile. I only use minimal set of extensions which satisfies:
1) already popular
2) the author has trustable record
3) the function is necessary
Maybe any more discussion should be done on another thread, as this thread is for uMatrix.
@142395, please, any chance you share with me your setup?
Which settings or preferences do you use?
Yeah, I know this is UMatrix' thread.
But from my understanding, you and me are talking about COMPLEMENTING UMatrix. So, our conversation always includes UMatrix.
In this context, I really will appreciate if you share with me your setup, settings, preferences, add-ons etc.
I'm also asking this, because I liked your explanations, so I believe I may learn a lot from your setup.
Thank in advance!
PS: From your 3 points scale needed to approve an add-on, certainly POOP' add-on covers points 2 & 3. And for those (like me) using UMatrix/UBlock allowing XHR's, or CSS, or FONTS etc, POOP is necessary and minimal.
In the conversation about a recent commit for uMatrix @gorhill made the following comment:
I'm a bit puzzled about this. I've never run into any problems by using non-hosts filterlists. And one of the default lists, namely Malware Domains, is a non-hosts list as well. That's why I don't really understand that statement.
Taken it literally it would mean, IMO, that a simple entry in a filterlist like
should not be used but rather a hosts-style one like
But a hosts file typically contains thousands of sub-domains of doubleclick.net in order to cover them all. While such an entry in a hosts file would translate to the following blacklist rule in uMatrix:
* doubleclick.net * block
which would block all related sub-domains as well (making most entries in those hosts files superfluous).
@gorhill , could you, please, explain what your statement means and which undetermined results should be expected?
* doubleclick.net * block
Seeing the source, it appears uMatrix indeed only expects valid hosts file format; while anomalies handling is applied to domains to be blocked (reAsciiSegment), no such thing for e.g. "127.0.0.1" parts (reLocalhost)?
Hm, but why is Malware Domains included as a default list then?
Maybe I misread - the code rather seems to remove those "127.0.0.1" patterns. IDK, lLet's wait the official answer.
Plain list of hostnames will work, it's as far as uMatrix will go, for convenience.
Thanks for this confirmation!
After a further check I recognized that uBlock-user used this list:
which is not a hosts file but an ABP-compatible list. It's a well-known fact that such lists should not be used in uMatrix. I simply couldn't imagine that uBlock-user of all people would add such a list to uM. Sorry - much ado about nothing
I am using both uMatrix and uBlock simultaneously.
There appear to be two very similar Privacy options
uMatrix - Block all hyperlink auditing attempts.
uBlock - Disable hyperlink auditing.
Is there a difference between these two options? I.E. Is uBlock disabling the option, whereas uMatrix is only blocking it?
If there is a difference, (a) how does each of those options look to 1st party and 3rd party websites? and (b) which option would be better from the perspective of the user's privacy?
I'm sad to see that develpment of uMatrix has ended. I don't mind so much if no more features are introduced as it works perfectly well for my needs now... But I do hope that if any future firefox release breaks uMatrix's current functionality maybe @gorhill could dip in to keep it working for us as is .
@gorhill Thank you so much for the work you've put into uMatrix and for your continued development of uBlock Origin. I can't imagine using the internet without them
See here also.
Apologies stapp, I missed that thread. Thank you.
uMatrix has an unfixed vulnerability: here is a workaround
July 15, 2021
it should be possible to insert the fix into "main-blocked.js" fast -> ublock 1.4.1b6 (beta)