-
Notifications
You must be signed in to change notification settings - Fork 474
Per scope switches
Per-scope switches allow a user to customize various settings for a specific scope.
The state of a per-scope switch in a broad scope will be inherited by narrower scopes, unless a more specific rule override the broader rule.
For example, setting the per-scope switch "Spoof Referer
header" in the global (*
) scope will cause the referrer header information to be spoofed everywhere. However, spoofing could cause a site to not work properly, and it is thus possible to override the global state of the "Spoof Referer
header" switch by disabling the switch just for the scope where it causes problem.
Important: The per-scope switches are independent from the matrix filtering switch, meaning that if you toggle off matrix filtering, the per-scope switches which are toggled on will still apply. For example, one could turn off matrix filtering while keeping the ability to forbid mixed content.
First, if you are not familiar with what "mixed content" is, here are some places to learn more about it:
- Mozilla Developer Network: Mixed Content
- Qualys Blog: HTTPS Mixed Content: Still the Easiest Way to Break SSL
- W3C: Mixed Content
When the "Forbid mixed content" switch is turned on, mixed content will be forbidden.
"Forbid mixed content" is more than to just protect MITM attacks. Without "Forbid mixed content", data-mining by 3rd-parties can still occur, as unscrupulous ISPs like Verizon et al. could still inject tagging information in the HTTP headers of outgoing network requests which are not done through encrypted connections.
Chromium/Firefox forbid some mixed content by default. When there is mixed content on a web page, a little shield icon will appear in the address bar, and a user may click on it to load the content which was forbidden from loading natively by the browser. However, as investigated by a user, this does not apply to image, video and audio resources.
Since uMatrix 0.9.0.0, unsecure network requests are blocked directly by uMatrix, rather than by the browser through a CSP directive. This means if a page has mixed content, your browser will notify you about the mixed content on that page, though the connections were blocked by uMatrix (use the logger to see for yourself).
- Note: Having this switch toggled to ON can break some websites, that doesn't mean it's a bug, but rather an un-intended side effect and the switch should be disabled for the specific website instead.
For those unfamiliar with web workers in general, listed below is some valuable documentation to gather information from:
Toggling this switch to ON, forbids Web Workers from being created via a CSP policy inserted by uMatrix. Also to keep in mind that there's no global toggle switch for this per-scope switch yet, but a suggestion has been made, that's why toggling it ON on a particular website will result in rule created for that website only. To apply this switch globally, replace the domain name with *
in My Rules and save it.
Forbiding Web Workers was specifically added back to foil websites loading miners by engaging web workers without any kind of opt-in/opt-out or prior notification to users.
- Note: Having this switch toggled to ON can break some websites, that doesn't mean it's a bug, but rather an un-intended side effect and the switch should be disabled for the specific website instead.
Referer spoofing has been transformed from a global setting into a per-scope setting, so that you can now disable/enable it specifically on a per-scope basis.
The setting in the Settings tab is still there, and its purpose is to control referer spoofing for the global scope (*
). Since narrower scopes will inherit the switch state from a broader scope, this means the global scope switch still act as a global setting, difference being that now the switch state can be overridden in a narrower scope.
The logic behind referer spoofing is simpler now: it's whether the switch referer spoofing is turned on, and whether the domain of the referer URL is third-party to the domain of the request URL. Whether the domain of the URL of a request is whitelisted is now irrelevant.
Also, notice that now I use the term "spoofing". Whereas before the referer string was blanked, the referer information will now be foiled using the root URL derived from the URL of the request. For example, if the URL of a request is http://www.example.com/blahblahblah/boring.html
and the referer is http://google.com
, the referer will be spoofed using the http://www.example.com/
string.
- Note: Having this switch toggled to ON can break some websites, that doesn't mean it's a bug, but rather an un-intended side effect and the switch should be disabled for the specific website instead.
With uMatrix 1.1.14, user agent spoofing has been removed and a new switch, spoof <noscript>
tags has been added, which is on by default.
Since spoofing <noscript>
is not necessarily always desirable, the global setting can be overridden on a per-scope basis with the "Spoof <noscript>
tags" switch.
This feature is most useful to users who block 1st-party scripts by default.
Note that this might be the long term approach used for enabling <noscript>
tags: the approach planned by Firefox is not really suitable to uMatrix, as this would require to completely disable javascript for a site (causing the matrix ruleset to be disregarded), while with the current approach, one can still enable 3rd-party scripts and yet have the <noscript>
tags spoofed.
uMatrix: Point and click matrix to filter net requests according to source, destination and type.