Network Request Logger Improvements

[harshanvn]

Hi Gorhill,

Improvement 1: When using dynamic filtering (with inline scripts turned on), I wonder if we could log the domain name from where inline scripts are blocked.

As an test case - http://www.explabs.com/test/

In popUI one can understand inline script is blocked from www.explabs.com. But not from request logger. This would be helpful to determine when dealing with more complex sites, to see from which 1p or 3p sites are involved in inline scripting :)

Note: Not sure, if this request makes sense :)

Improvement 2: It would be better to have allowed/blocked check boxes like in uMatrix. To quickly see identify only blocked list. And grouping of columns be better.

Thanks!!

[gorhill]

Inline scripts are not network requests of their own, so they are not logged in the network request logger. To do so I would need the injected script to scan for at least one script tag with no src and textContent not being empty, then send a message back to uBlock's main, which would then emit a log entry.

Improvement 2: please, again, let's not mash together multiple issues, each issue needs to be very specific or else it become more difficult to associate specific code change with specific issue. In any case that would be a dup of #483.

[gorhill]

Sort of off-topic, but the test case you linked to above, they say...

It is a special stream of data (called a test signature) that has been created to enable you to test SocketShield safely

What a load of BS. There is no "special stream of data" in there, it's just a plain HTML window with nothing special in it, no script tags, no object tags. Just an iframe blocker as far as I can tell.

[harshanvn]

Sorry, for mashup of the issues. I will be careful next time :)

re. Improvement 1,

Inline scripts are not network requests of their own, so they are not logged in the network request logger. To do so I would need the injected script to scan for at least one script tag with no src and textContent not being empty, then send a message back to uBlock's main, which would then emit a log entry.

hmmm, if this creates any overhead, i am not too interested. The reason why i came with this suggestion is, in Firefox we do not have XSS Auditor (currently in devlopment though). So, it would be ideal to validate if particular site in involved in inline scripting. I think "Inline Scripting" + 3P script blocking, one should be able to effectively mitigate XSS issues, for atleast most part. Src: http://www.html5rocks.com/en/tutorials/security/content-security-policy/ ( i know you already knew of this :) )

[harshanvn]

I see you have fixed improvement 1 as part of #519 fix. And improvement 2 is duplicate of another. So, am closing this one.

Thanks for fixing! Nice to see which site uses inline script and which not :)

[gorhill]

I guess I misunderstood your point 1 originally. Though I log the blocking, it doesn't mean the page has actual inline script tags. For this I would need to do what I described above.

[harshanvn]

Ok, I see what you mean. That is a good thing. I will leave it open and you can plan as it allows you.