8
24
Fork
You've already forked nuMatrix
4

RFE: Option to anonymize requests #415

Closed
opened 2015年11月18日 06:23:46 +01:00 by ThrawnCA · 5 comments
ThrawnCA commented 2015年11月18日 06:23:46 +01:00 (Migrated from github.com)
Copy link

I'm a longtime user of NoScript with its Application Boundary Enforcer module, and was actually thinking of writing a graphical frontend for ABE, but I've now discovered that uMatrix covers >90% of general usage...

One important remaining advantage of ABE is the ability to anonymize requests: strip cookies, Authorization header, and POST body. This is beneficial both for security - preventing attacks like CSRF - and privacy (since it strips cookies).

Is it feasible for uMatrix to perform this kind of anonymization?

I'm a longtime user of NoScript with its Application Boundary Enforcer module, and was actually thinking of writing a graphical frontend for ABE, but I've now discovered that uMatrix covers >90% of general usage... One important remaining advantage of ABE is the ability to anonymize requests: strip cookies, Authorization header, and POST body. This is beneficial both for security - preventing attacks like CSRF - and privacy (since it strips cookies). Is it feasible for uMatrix to perform this kind of anonymization?
ThrawnCA commented 2015年11月18日 06:24:48 +01:00 (Migrated from github.com)
Copy link

NoScript is GPL-licensed, if its source would be helpful, and there is an unofficial Git repo at https://github.com/avian2/noscript

NoScript is GPL-licensed, if its source would be helpful, and there is an unofficial Git repo at https://github.com/avian2/noscript
gorhill commented 2015年11月18日 20:07:22 +01:00 (Migrated from github.com)
Copy link

Cookie headers are stripped when the cookie cell associated with a specific destination is in block mode.

For POST requests, are there use cases for when we want the requests to reach the server but without the content?

`Cookie` headers are stripped when the cookie cell associated with a specific destination is in block mode. For `POST` requests, are there use cases for when we want the requests to reach the server but without the content?
ThrawnCA commented 2015年11月19日 00:02:35 +01:00 (Migrated from github.com)
Copy link

Excellent point about cookies, I overlooked that column.

Stripping POST bodies is more of a security safeguard, I guess, rather than general content blocking. NoScript routinely does this whenever sites that are not on its whitelist send cross-site POST requests. It effectively disarms many CSRF/XSS attacks. Less important, of course, when you're fully controlling the matrix of cross-site requests with a default-deny.

Any chance of affecting Authorization headers? It might even make sense to strip them whenever cookies are stripped, as a special case (they're two different types of authentication headers, really).

Excellent point about cookies, I overlooked that column. Stripping POST bodies is more of a security safeguard, I guess, rather than general content blocking. NoScript routinely does this whenever sites that are not on its whitelist send cross-site POST requests. It effectively disarms many CSRF/XSS attacks. Less important, of course, when you're fully controlling the matrix of cross-site requests with a default-deny. Any chance of affecting Authorization headers? It might even make sense to strip them whenever cookies are stripped, as a special case (they're two different types of authentication headers, really).
the8472 commented 2015年11月22日 04:44:49 +01:00 (Migrated from github.com)
Copy link

On firefox, one could set the LOAD_ANONYMOUS flag on the channel. It removes cookies, authentication headers, referrers and Origin headers (for CORS requests).

That may break more sites than just blocked cookies though, so it probably has to be a separate option.

On firefox, one could set the [LOAD_ANONYMOUS](https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIRequest#Constants) flag on the channel. It removes cookies, authentication headers, referrers and Origin headers (for CORS requests). That may break more sites than just blocked cookies though, so it probably has to be a separate option.
arek added this to the (deleted) project 2023年10月29日 22:49:52 +01:00
arek added this to the v1.0 milestone 2026年06月19日 10:23:48 +02:00
arek added this to the (deleted) project 2026年06月19日 10:25:50 +02:00
arek added this to the v1.0 project 2026年06月19日 10:29:27 +02:00

My analysis of this:
Cookies - already stripped when the cookie cell is blocked
Referer - rewritten/removed for third party requests via referrer-spoof
Origin - altering would break CORS and server-side CSFR checks
POST body - webRequest exposes body as read only, it can only be cancelled (LOAD_ANONYMOUS flag is gone since FF 57)
Authorization - worth doing for Basic/Digest, otherwise it could break APIs

My analysis of this: Cookies - already stripped when the cookie cell is blocked Referer - rewritten/removed for third party requests via referrer-spoof Origin - altering would break CORS and server-side CSFR checks POST body - webRequest exposes body as read only, it can only be cancelled (LOAD_ANONYMOUS flag is gone since FF 57) Authorization - worth doing for Basic/Digest, otherwise it could break APIs
arek 2026年06月21日 11:25:29 +02:00
  • closed this issue
  • added the
    done
    label
This discussion has been locked. Commenting is limited to contributors.
No Branch/Tag specified
master
dev
v0.1.2
v0.1
0.0.0.8b
0.0.0.7b
0.0.0.5b
0.0.0.4b
0.0.0.3b
0.0.0.2b
0.0.0.1b
1.4.3b0
1.4.2
1.4.1b6
1.4.1b5
1.4.1b4
1.4.0
1.3.17b2
1.3.17b1
1.3.16
1.3.14
1.3.12
1.3.10
1.3.8
1.3.6
1.3.4
1.3.3b9
1.3.3b8
1.3.2
1.3.0
1.2.0
1.1.20
1.1.18
1.1.16
1.1.14
1.1.12
1.1.11b0
1.1.10
1.1.8
1.1.7rc0
1.1.7b0
1.1.6
1.1.4
1.1.0
1.0.0
0.9.3.6
0.9.3.4
0.9.3.3
0.9.3.2
0.9.3.1
0.9.3.0
0.9.2.1
0.9.2.0
0.9.1.2
0.9.1.1
0.9.1.0
0.9.0.1
0.9.0.0
0.8.1.4
0.8.1.3
0.8.1.1
0.8.1.0
0.8.0.1
0.8.0.0
0.8.0.0-rc.2
0.8.0.0-rc.1
0.8.0.0-rc.0
0.8.0.0-alpha.19
0.8.0.0-alpha.18
0.8.0.0-alpha.17
0.8.0.0-alpha.16
0.8.0.0-alpha.15
0.8.0.0-alpha.14
0.8.0.0-alpha.11
0.8.0.0-alpha.10
0.8.0.0-alpha.9
0.8.0.0-alpha.8
0.8.0.0-alpha.7
0.8.0.0-alpha.6
0.8.0.0-alpha.4
0.8.0.0-alpha.3
0.8.0.0-alpha.2
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
arek/nuMatrix#415
Reference in a new issue
arek/nuMatrix
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?