Closed ididntknowicoulddothatXD closed 6 years ago
gorhill
commented
6 years ago Duplicate of https://github.com/gorhill/uBlock/issues/1170.
I thought I was on uBO's issue tracker, I corrected the link above: only one extension can modify a HTTP header, it's a browser API by-design behavior. You will have to find what setting is causing uBO to modify the Content-Security-Policy header and change it such that the CSP header is left free to be modified by uMatrix (or vice-versa, as you want).
gorhill
commented
6 years ago I decided to test an idea, and it worked, so re-opening -- I will need to experiment more to be sure though in case there was a flaw in my test.
This seems fixable if I inject a new CSP header instead of modifying an existing one -- which both uMatrix and uBO do. Speculating: this is probably a solution because it's allowed for servers to send more than one CSP header.
uBlock-user
commented
6 years ago @gorhill Will this finally fix all such "extension errors" invoked via CSP header modification or only this one in particular ?
gorhill
commented
6 years ago Unfortunately, added response headers were not merged on Firefox 58 and less: https://bugzilla.mozilla.org/show_bug.cgi?id=1377689, so this means the fix here is a regression for FF58 and less.
Test case:
URL: http://tobago-vm.apache.org/demo-4-snapshot/content/30-concept/80-security/content-security-policy.xhtml?dswid=-3095
Browser console with default uBO settings:
Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Content Security Policy: Ignoring unknown option 'none'
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://tobago-vm.apache.org”). Source: call to eval() or related function blocked by CSP.
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://tobago-vm.apache.org”). Source: 
 <
Okamoi
commented
6 years ago This seems fixable if I inject a new CSP header instead of modifying an existing one -- which both uMatrix and uBO do. Speculating: this is probably a solution because it's allowed for servers to send more than one CSP header.
Unfortunately, added response headers were not merged on Firefox 58 and less: https://bugzilla.mozilla.org/show_bug.cgi?id=1377689, so this means the fix here is a regression for FF58 and less.
@gorhill I'm not sure what to conclude out of this, could you confirm or correct the following ?
Firefox 59 merges headers with the same name, which includes CSP headers, when there is more than one add-on trying to modify them.
So now, can a website infer from the headers that I have both uMatrix and uBO installed ? I'd rather have them only able to infer I have uBO, as it has many users. uMatrix is more of an oddball unfortunately and I'd rather not stand out if possible.
More generally, what can the website figure out from headers if I have both uBO and uMatrix installed ?
Note that this is a different question, the first one assumes uBO can be figured out and wishes to know if having uMatrix on top can go unnoticed. The second seeks to know if uBO and/or uMatrix are even distinguishable from one another, from another content blocker or from, I don't know, Firefox's Tracking Protection or even a network failure or a site bug.
Thanks!
Switched from an Amazon page where I blocked almost nothing with uMatrix to a new tab and loaded a site that blocked everything except the frame and CSS. Suddenly I get a notification on Chrome telling me I've got an "extension error" or something, and when I reviewed my extensions, the following warning appeared:
No idea if that is a bad thing, both uBlock Origin and uMatrix seem to continue to work as expected.
Settings
