My question is not specific to uMatrix, but is framed from that PoV:
background info: uMatrix is a browser extension whose main interface offers a rectangular grid of permissions (allow/inherit/block), with domains and subdomains down the side and the following options across the top: Cookies, CSS, Images, Media (a/v & plugins), Scripts, XHR (including Fetch & WebSockets), Frames, Other.
Let's say I'm visiting the example.com website, which unfortunately calls a variety of URLs from maliciousthirdparty.net.
If my browser blocks scripts, media & frames from maliciousthirdparty.net, but allows XHR, does that permission by itself allow anything to happen at all? Can XHR be called from static HTML, CSS, cookies, or images?
Conversely, if my browser blocks XHR, but allows scripts or plugins, does that prevent maliciousthirdparty.net from achieving results that could not already be accomplished by another method instead (e.g. createElement('script'))?
In other words, what is an example where a separate XHR permission setting could be important?
example.com
's JavaScript making an XHR request tomaliciousthirdparty.net
.maliciousthirdparty.net
to allow the cross-origin request. Even if it wereexample.com
's decision it's possible they want to make requests toinnocentthirdparty.net
, butinnocentthirdparty.net
got hacked.