1

My question is not specific to uMatrix, but is framed from that PoV:

background info: uMatrix is a browser extension whose main interface offers a rectangular grid of permissions (allow/inherit/block), with domains and subdomains down the side and the following options across the top: Cookies, CSS, Images, Media (a/v & plugins), Scripts, XHR (including Fetch & WebSockets), Frames, Other.

Let's say I'm visiting the example.com website, which unfortunately calls a variety of URLs from maliciousthirdparty.net.

If my browser blocks scripts, media & frames from maliciousthirdparty.net, but allows XHR, does that permission by itself allow anything to happen at all? Can XHR be called from static HTML, CSS, cookies, or images?

Conversely, if my browser blocks XHR, but allows scripts or plugins, does that prevent maliciousthirdparty.net from achieving results that could not already be accomplished by another method instead (e.g. createElement('script'))?

In other words, what is an example where a separate XHR permission setting could be important?

Improve this question
3
  • You've overlooked the possibility of example.com's JavaScript making an XHR request to maliciousthirdparty.net.
    – AndrolGenhald
    Commented Jan 26, 2018 at 21:53
  • I was under the impression that cross-domain requests were forbidden. If that's incorrect, perhaps your comment should become an answer?
    – Foo Bar
    Commented Jan 26, 2018 at 22:06
  • It's been a while since I've used CORS, and my knowledge has always been a little foggy in this area, but I believe it's up to maliciousthirdparty.net to allow the cross-origin request. Even if it were example.com's decision it's possible they want to make requests to innocentthirdparty.net, but innocentthirdparty.net got hacked.
    – AndrolGenhald
    Commented Jan 26, 2018 at 22:21

1 Answer 1

Reset to default
1

It may be possible for example.com's JavaScript to make XHR requests to maliciousthirdparty.net. By default this is blocked due to the same-origin policy, but maliciousthirdparty.net can send CORS headers to allow the requests.

If you block XHR requests to the domain while allowing scripts to be loaded from it, it may make it more difficult for a malicious script to exfiltrate data. This could be useful for example if you don't trust the CDN hosting a JavaScript library that example.com requires to function properly.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .