Closed sharethewisdom closed 8 years ago
I will decline, I don't see how I could fit this in the current UI, and I do not plan to rewrite the UI. Additionally, whether a tag has a sri attribute is not something available to a HTTP observer which is where network requests are blocked.
Ok, I'm sorry for the noise and for raising this issue while I actually anticipated that answer, I'm writing as ideas come...
One mention though: GNU LibreJS contains a precompiled list of hashes for javascripts in ./data/script_libraries/script-libraries.json
like these:
{
"a83caf65714ff3a56aded6088acb525e9d305881": {
"filename": "https://code.jquery.com/ui/1.11.2/jquery-ui.min.js",
"result": "[freelib]"
},
"0b327b43256da9f57b78e3134aaecc2a4a5a3bad": {
"filename": "https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.1/jquery-ui.js",
"result": "[freelib]"
}
}
I'm thinking that a hash comparison using a special third party filter may be sufficient for security-aware users. And it may not be too much of an overhead for uBlockO.
suppose a special filter would instruct to:
https://code.jquery.com/ui/
Again, sorry for the noise, I don't apprehend the implications as well as you do. Trivial vs free javascript detection appears to be more involved (see lib/js_checker/*
). I suspect it isn't as simple as I put it. Please share your opinion. Thanks for uBlock Origin!
In this issue, I'd like to start a discussion about whether or not uBlockO should adopt some mechanism that would allow browsers to do subresource integrity checks.
In particular, I think that website creators that use popular CDNs (to load jquery, bootstrap or other javacripts and stylesheets) will increasingly use this feature, and should be encouraged to do so.
Some uBlockO users like me that like a whitelisting approach in the dynamic ruleset may want to let subresources that have integrity attributes be passed through to static filtering, or to let the browser to do these checks. I'm thinking something like:
or
... or is this more in the scope of uMatrix?
Two blog posts (07-2015) and (06-2016) provide more info.