uMatrix vulnerable to XSS where NoScript isn't

Discussion in 'other software & services' started by mkewU, Apr 10, 2017.

  1. mkewU

    mkewU Registered Member

    Joined:
    Apr 4, 2015
    Posts:
    18
    Occasionally my ISP injects some javascript into what I'm viewing on the web and half my screen is taken over by the ISP. The purpose is usually to report some kind of news event related to the ISP. Like maybe there will be an outage for an hour or something the next day.

    Here's the thing: when I used NoScript, even though I had scripts fully allowed for the webpage I was on and the domain of the ISP that is doing the XSS, NoScript would always block the injection and report it as a blocked XSS.

    With uMatrix the XSS is always allowed and my screen is taken over.

    Is this an instance that exemplifies the superior protection that NoScript offers over uMatrix?
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    If you are allowing all scripts (including 3rd-party-requests), then of course uMatrix doesn't block it.
    You can mitigate it, if you block 3rd-party requests/content
     
  3. mkewU

    mkewU Registered Member

    Joined:
    Apr 4, 2015
    Posts:
    18
    This is generally how I operate. But in this case the two sites in question need scripts allowed to work, so it appears uMatrix provides no protection in this scenario, whereas NoScript does because of its continual XSS protections even when scripts are allowed.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.