Skip to content
This repository has been archived by the owner on Jul 21, 2021. It is now read-only.

Script not detected on cgit commit page #485

Closed
ghost opened this issue Feb 9, 2016 · 6 comments
Closed

Script not detected on cgit commit page #485

ghost opened this issue Feb 9, 2016 · 6 comments

Comments

@ghost
Copy link

ghost commented Feb 9, 2016

Example
The "diff options" don't work without enabling scripts for git.musl-libc.org, but the script column is empty.
@coffeemakr
Copy link
Contributor

I think the reason why the script column is empty is because the JavaScript code is embedded in the HTML code and not an external resource which was blocked.
In this case uMatrix prevents the execution of the script but does not block a resource.

@gorhill
Copy link
Owner

gorhill commented Jun 14, 2016
edited
Loading

uMatrix will count all the embedded scripts as one script -- but there is no script tags on that page.

@gorhill
Copy link
Owner

gorhill commented Jun 14, 2016

Works fine on my side with FF 47/Chromium 50, with a blocked script column -- there is no script for that page.

@gorhill gorhill closed this as completed Jun 14, 2016
@gorhill gorhill reopened this Jun 14, 2016
@gorhill
Copy link
Owner

gorhill commented Jun 14, 2016

I see, we are talking about the drop-down lists under the diff options section -- thought it was about the diff pane itself.

@gorhill
Copy link
Owner

gorhill commented Jun 14, 2016
edited
Loading

Though uMatrix will take into account script tags, the case here is that there are no script tags, however there are embedded event handlers, which are not taken into account: <select name='h' onchange='this.form.submit();'>. uMatrix needs to look for these too.

@gorhill
Copy link
Owner

gorhill commented Dec 11, 2017

Ultimately, there is a missing API browser-side for uMatrix to account reliably of any sort of inline script code on a page. Without such API, it's impossible to guarantee that uMatrix will always report 100% of the time that inline javascript is being executed on the page.

NoScript uses report-to/report-uri, and this is a good idea to solve the problem. This would allow uMatrix to report 100% reliably when inline script code is trying to execute on a page. However for this to work there needs to be a fake URL to which the report is sent, and one has to worry that such fake URL requests do not end up leaving the browser, and I rather avoid such a questionable detour for what is merely a one bit of information in the case of uMatrix. This also creates "noise" on the webRequest API handlers of other extensions.

With an API such as webRequest.onCSPViolationOccurred, there would be no need to such a complicated detour to simply access a trivial piece of information.

gorhill referenced this issue Jan 2, 2018
@gorhill
reliably report web worker and inline script presence
821e457
Noxgrim pushed a commit to Noxgrim/uMatrix that referenced this issue Dec 29, 2021
@gorhill
fix gorhill#485
ce6eacb
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gorhill @coffeemakr