"uMatrix-like" static replacement of blocked URL in user resources

laniakea64 commented 3 years ago

Prerequisites

[x] I verified that this is not a filter issue
- Filter issues MUST be reported at filter issue tracker
[x] This is not a support issue or a question
- Support issues and questions are handled at /r/uBlockOrigin
[x] I performed a cursory search of the issue tracker to avoid opening a duplicate issue
- Your issue may already be reported.
I tried to reproduce the issue when...
- [ ] uBlock Origin is the only extension
- [ ] uBlock Origin with default lists/settings
- [ ] using a new, unmodified browser profile
[x] I am running the latest version of uBlock Origin
[ ] I checked the documentation to understand that the issue I report is not a normal behavior

Description

[Description of the bug or feature]

Currently it is not possible for a user-defined resource to "know" / make use of the blocked URL.

In migrating uMatrix setup into uBO, it seems there is no equivalent of the default uMatrix frame placeholder document, and no way to implement that placeholder document in current uBO.

That document had the following useful features:

1) A clickable link to open the frame's URL in a new tab.

2) Displaying the frame's URL.

While both of these things exist in click2load.html, using click2load.html for such generic purpose would seem to leave a potential vulnerability to clickjacking attacks - one click in the wrong place loads the frame, and the next click...

uMatrix's approach to frame placeholder was to have a "placeholder text" ({{url}}) that gets "statically" replaced with the blocked URL. Some investigation indicates uMatrix's way is the only reliable approach - using params (like how click2load.html does) with a data: URI would result in a setup that can be broken by webpage CSP, and adding this document as a built-in resource like click2load.html leaves it failing in <iframe sandbox>. uMatrix is not subject to these limitations.

Can you please add the ability for a user-defined uBO resource to specify that a "placeholder text" in that resource should be replaced with the blocked URL, like uMatrix does? so that e.g. uMatrix default frame placeholder document can be implemented as a user-defined uBO resource? Thanks!

(Related context, including discussion with gorhill: https://forums.informaction.com/viewtopic.php?f=18&t=26124#p103366 )

A specific URL where the issue occurs

[A specific URL is MANDATORY for issue happening on a web page, even if it happens "everywhere"]

Steps to Reproduce

[First Step]
[Second Step]
[and so on...]

Expected behavior:

[What you expected to happen]

Actual behavior:

[What actually happened]

Your environment

uBlock Origin version: 1.32.2
Browser Name and version: Firefox 84.0
Operating System and version: Xubuntu 20.04 64-bit

gorhill commented 3 years ago

potential vulnerability to clickjacking attacks

The use of click2load.html resource is entirely optional and when to use it is entirely under the user's control. If you worry about "clickjacking attacks", then it make little sense for you to use click2load.html for anything else than what you actually trust.

laniakea64 commented 3 years ago

If you worry about "clickjacking attacks", then it make little sense for you to use click2load.html for anything else than what you actually trust.

Indeed. I only use click2load.html for specific cases (and it's very nice for those cases :slightly_smiling_face: ).

Right now I have no generic placeholder for blocked frames. I block most 3rd-party frames by default and would like to have a generic placeholder where I don't have to trust the context. The uMatrix default frame placeholder document was perfect for this.

uBlockOrigin / uBlock-issues