Disabling filtering still applies CSP policy

[nmschulte]

Visiting a locally hosted document which makes use of web workers (served by the same host). http://localhost:3000/.

Disabling uMatrix (via the power button, disabling the two "forbid ..." and the two "spoof ..." options, and reloading w/out browser cache) still leaves behind a Content-Security-Policy that interferes with my application.

In Chrome (Chromium Version 61.0.3163.100 (Developer Build) built on Debian buster/sid, running on Debian buster/sid (64-bit)), I receive a worker-src 'none' violation:

[Report Only] Refused to create a worker from 'http://localhost:3000/worker.js' because it violates the following Content Security Policy directive: "worker-src 'none'".

In Firefox (57.0.4 (64-bit)), I receive a child-src 'none' violation:

Content Security Policy: The page’s settings observed the loading of a resource at http://localhost:3000/worker.js (“child-src 'none'”). A CSP report is being sent.

Additionally, Firefox complains about these aspects of CSP when viewing the document:

Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead.

Content Security Policy: The report URI (about:blank) should be an HTTP or HTTPS URI.

---

The only way I can get around this is to disable uMatrix at the extension/add-on level. No matter of twiddling with the rules or adding my own CSP HTTP headers or HTML meta tags to allow the workers/etc. suffices.

[gorhill]

It's not a Content-Security-Policy, it's a Content-Security-Policy-Report-Only, it has not effect except for allowing uMatrix to know when a web page tries to use a web worker.

[nmschulte]

To clarify, you're stating that I'm simply mis-interpreting these "[Report Only]" error messages as errors, when really they're just notices (of would-be errors), and the browser actually does allow and create the workers?

[gorhill]

you're stating that I'm simply mis-interpreting these "[Report Only]" error messages as errors

Yes, because you said:

leaves behind a Content-Security-Policy that interferes with my application.

They are report-only CSP directives, they can't interfere with your application. If you do not want the csp-report, see https://github.com/gorhill/uMatrix/wiki/Raw-settings#disablecspreportinjection.

[nmschulte]

@gorhill Thank you.

[nmschulte]

Is it conceivable, sensible, to disable the CSP Report injection if there's an enabled matrix-off rule for a domain/host?

[gorhill]

The purpose is for uMatrix to be able to report that web workers are used on a site. Without this CSP reports, it's not possible to inform about this. Such information is key in deciding what rules should apply to a site.

[nmschulte]

Understood. Given that this (CSP Report injection) is only here to workaround a bug, it's low priority anyway.

My rationale is this: matrix-off is like a "disable uMatrix extension for this domain/host," so there's no need to check for web workers, let alone enforce any uMatrix rules.

[gorhill]

matrix-off is like a "disable uMatrix extension for this domain/host

It's not:

The per-scope switches are independent from the matrix filtering switch, meaning that if you toggle off matrix filtering, the per-scope switches which are toggled on will still apply. For example, one could turn off matrix filtering while keeping the ability to forbid mixed content.

If a site is mining coins, you want to know about this, regardless of the state of uMatrix, and arguably even more so if one disabled all parts of uMatrix.

[u17194907425]

for allowing uMatrix to know when a web page tries to use a web worker

@gorhill, does it mean that there is no way to avoid seeing this [Report Only] message?

[gorhill]

As said above, see https://github.com/gorhill/uMatrix/wiki/Raw-settings#disablecspreportinjection.

[u17194907425]

@gorhill, oh crap, my bad. I didn't word my question correctly.

I mean if I go through disableCSPReportInjection I'll disable a part of functionality of uMatrix. Is there any other way to keep the plugin monitoring workers but avoid this warning? I'm talking about my web server where I can control Headers.

E.g. any chance that setting Content-Security-Policy-Report-Only headers form the server will suppress the [Report Only] warning? Or it is an inevitable consequence of uMatrix working as designed?

[gorhill]

It does not matter who set the content security policy, the browser will always output violations at the console.

[gorhill]

https://bugzilla.mozilla.org/show_bug.cgi?id=1376953

[nmschulte]

Ah, I see that the CSP spec has no support for blacklisting, hence the need for a global/always-on worker-src: none report-only CSP.

Would it be possible to maintain the policy/whitelist in real-time / per-request/domain, and refuse to add domains with no-worker: true rules?

This would prevent CSP reports for whitelisted domains, which is what caught my attention initially.

[gorhill]

This would prevent CSP reports for whitelisted domains

As already pointed out, the report is needed to inform about use of workers. Not blocking workers on a domain is not equivalent to "don't tell me if workers are being used" on this domain. Information about whether workers are used is key in deciding on whether to block or allow them.

[nmschulte]

As already pointed out, the report is needed to inform about use of workers.

chicken / egg. got it. thanks for sticking with me.