µMatrix thread

General discussion about web technology.
Post Reply
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: µMatrix thread

Post by kukla »

Since 1st party scripts are blocked by NoScript, except for those whitelisted, and according to what you said before, NS takes priority, this seems to be redundant. But don't think it can hurt, so added that rule successfully. Now seeing that single script blocked in uM. Thanks for the directions.
EDIT: uh oh, I will have to remove that rule. Even though I have a site allowed in NS, setting that rule disables some of that site's functionality. With that rule set, unable to use the quote feature, similar to the one here, of that other board. In fact, the quote feature, including any of the text options above, was also disabled here. So, unless I misunderstood what you said before, it doesn't appear that NS takes priority.

Now uncertain what is taking priority, uM or NS, since that didn't work out very well.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: µMatrix thread

Post by barbaz »

I think your uncertainty is because of the phrase "take priority". Think of it like, you're driving a car down a country road that's blocked by two large fallen trees. Will you be able to drive through if you remove only one of the trees? - no, the other one is still in the way. See? :)

Hope this helps.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: µMatrix thread

Post by kukla »

Since I don't want to do all my general browsing with JS enabled, I've reinstated that rule to disable first party scripts, and will have to set specific scripts permissions for sites that I regularly visit which require attention to scripts.

But not sure it's worth all the trouble to use both together, since NS alone can be frustrating enough. I may just whitelist everything in uM and keep it solely for its Hosts block list

Thanks for all the help with this.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: µMatrix thread

Post by barbaz »

kukla wrote:not sure it's worth all the trouble to use both together, since NS alone can be frustrating enough.
Which is why I prefer to leave script blocking to NoScript.

My µMatrix rules do:
- 3rd-party frame blocking
- Site-specific rules, usually to control *all* requests to/from a domain, not just scripts. Useful to protect against stuff like this.
- And this rule -

Code: Select all

* * other block
Just a suggestion that works for me. YMMV.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: µMatrix thread

Post by kukla »

barbaz wrote:
kukla wrote:not sure it's worth all the trouble to use both together, since NS alone can be frustrating enough.
Which is why I prefer to leave script blocking to NoScript.

My µMatrix rules do:
- 3rd-party frame blocking
- Site-specific rules, usually to control *all* requests to/from a domain, not just scripts. Useful to protect against stuff like this.
- And this rule -

Code: Select all

* * other block
Just a suggestion that works for me. YMMV.
Third party frame blocking I understand, but requests to and from, would that be XHR, or where? Would that simply include turning everything red below the first party area? (Used to use Request Policy, at least for a time, then all that became too cumbersome--anyway it seems to be long gone.)

Perhaps a screenshot to illustrate just how this appears for a given site? Thanks.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: µMatrix thread

Post by barbaz »

I start like this -

Code: Select all

forums.informaction.com * * block
forums.informaction.com 1st-party * allow
... then allow individual 3rd-party sites as needed, as narrowly as feasible.

Code: Select all

forums.informaction.com i.psyche.me image allow
forums.informaction.com tinypic.com image allow
Result of the above rules -
[x]
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: µMatrix thread

Post by kukla »

barbaz wrote:I start like this -

Code: Select all

forums.informaction.com * * block
forums.informaction.com 1st-party * allow
... then allow individual 3rd-party sites as needed, as narrowly as feasible.

Code: Select all

forums.informaction.com i.psyche.me image allow
forums.informaction.com tinypic.com image allow
Result of the above rules -
I'm afraid this is dragging out. Perhaps you weren't sure what you were getting yourself into when all this began, I do appreciate the ongoing help with this. But some additional questions (what else is new :shock: ) Hope this doesn't get too confusing. I'm already pretty confused.

First. a screenshot of my current uM for this topic. I did have one that showed googleusercontent, but that's not showing in the current one that shows tinypic.

EDIT: Sorry, no screenshot. No idea why, but keep getting upload failed from tinypic now, so can't include that screenshot. At first I thought it was due to a pixel from solvemedia being blocked by uM, but even after reluctantly allowing it, it still keeps failing. Just disabled uM temporarily and still keeps happening, so must be something at their end.

Nowhere am I seeing anything i.psyche.me (an image which you are allowing) or psyche.me. When I google i.psyche.me, I'm getting a site from which to upload smileys (doesn't seem right, but is that where informaction gets its basic roster of smileys, and is that why it's showing for you--or did someone else in this thread use one from there, and if so, why am I not seeing that url for an image?), and when I google psyche.me I get some kind of hosting svc. or domain name sales site. So no idea where either of these is coming from.

But most important, since we were most recently discussing limiting or controlling content >from or to<, how did you decide to allow the image from i.psyche.me, or any third party image, for that matter?

Also, not for informaction specifically, but in general, NoScript will show any number of third party scripts to temporarily or permanently allow or not. So if you recommend letting NS do the script blocking, how do you go about letting NS take care of that job, when uM is showing a number of third party scripts? How do you know what to allow or not? From what I gather now...I think...maybe...if uM blocks a third party script, it will prevent NS from allowing it.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: µMatrix thread

Post by barbaz »

That screenshot was taken on viewtopic.php?f=18&t=20815&start=75 . For some reason, sometimes µMatrix doesn't see the 3rd-party domains until after the tab is reloaded.
kukla wrote:since we were most recently discussing limiting or controlling content >from or to<, how did you decide to allow the image from i.psyche.me, or any third party image, for that matter?
"i.psyche.me" is GµårÐïåñ's smileys site specifically for use on this forum. It's showing up because I used a smiley from there.

More generally, the only "good" 3rd-party stuff on this forum will be images from legitimate users. So I only allow known sites and legitimate image/smiley hosting sites. If I don't know the site and cannot determine that it is a legitimate image or smiley host, I don't allow it.

Also, context is important. For example, if I see that a blocked site is being called only as part of a spam post, I'm not going to allow it.


EDIT
Oops, I keep forgetting to mention that all this is about "controlling content from". For "controlling content to", it's just the same logic you'd use for deciding per-site permissions in NoScript. I don't filter by individual request types for that.
/EDIT
kukla wrote:Also, not for informaction specifically, but in general, NoScript will show any number of third party scripts to temporarily or permanently allow or not. So if you recommend letting NS do the script blocking, how do you go about letting NS take care of that job, when uM is showing a number of third party scripts? How do you know what to allow or not?
First I do this in µMatrix -

Code: Select all

* * script allow
Then, in NoScript, I narrow down the list of sites - viewtopic.php?p=75314#p75314

From there it's just trial-and-error.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: µMatrix thread

Post by kukla »

Many thanks again for the ongoing help.

With Request Policy, it was clear just what urls were involved with requests to third parties. With uMatrix, it's clear to me what the "from" are, but not the "to." TinyPic worked once this A.M., but screwed up again, so can't post these screenshots directly. Perhaps you can have a look at both of these at http://imgur.com/a/Je8VA for NYTimes, both with NS and uMatrix, and perhaps explain how you would identify the outgoing requests in the uMatrix screenshot. (Here, I'm letting NS deal with all the script blocking with the added ruleyou suggested * * script allow ) And maybe you can explain the use of the asterisks in creating rules: why some rules are single, others double and still others are triple asterisks.

Other than that, I think I'm beginning to get a bit of a handle on the use of uM alongside NS.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: µMatrix thread

Post by barbaz »

The domain in the top left of the popup (in blue in your screenshot) is what µMatrix treats as "origin" / "from". You can click it to change the scope of the matrix. The available options are: all sites (*), domain (informaction.com), and site (forums.informaction.com).

The red & green cells are what's being requested, aka "outgoing requests" / "to".
kukla wrote:And maybe you can explain the use of the asterisks in creating rules: why some rules are single, others double and still others are triple asterisks.
This was explained in the OP of this thread. If it needs clarification I'd be happy to edit it.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: µMatrix thread

Post by kukla »

For the asterisks, I guess this is what you were referring to when you said it was taken care of in the OP

Code: Select all

matrix-off: [site] true
[source|*] [destination|*] [type|*] [allow|block]
So single * is source only, double* is source + destination and triple* is source+destination+type ? (Not quite sure what "type" means though.

One more thing: one of the benefits of using uM which I discovered early on was that it could block the very obnoxious behavior of AOL Mail (with the AOL/VZ merger, Verizon mail customers have been forced to use AOL) in serving up various offers and ads by way of JavaScript redirects on logout. What happened when I added * * script allow to enable only NoScript to control the scripts, was that this junk started reappearing. By removing and then adding this rule back in, I was able to locate the particular offending scripts and tried blocking them, including their urls, by turning all that stuff dark red in uM. But with that rule in place this doesn't appear to work. This seems to mean that there cannot be a particular exception made for a single scope to block certain scripts if that rule is in place--uM seems to have zero control over scripts, even if it's only for a single scope. Just asking if you think this is correct.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: µMatrix thread

Post by barbaz »

kukla wrote:For the asterisks, I guess this is what you were referring to when you said it was taken care of in the OP

Code: Select all

matrix-off: [site] true
[source|*] [destination|*] [type|*] [allow|block]
So single * is source only, double* is source + destination and triple* is source+destination+type ?
Yep, first * is "any source", second * is "any destination, third * is "any type".
kukla wrote: (Not quite sure what "type" means though.
"Type" is just what sort of resource is being requested, e.g. image, media (audio/video/plugin), frame, script, etc.
kukla wrote:By removing and then adding this rule back in, I was able to locate the particular offending scripts and tried blocking them, including their urls, by turning all that stuff dark red in uM. But with that rule in place this doesn't appear to work. This seems to mean that there cannot be a particular exception made for a single scope to block certain scripts if that rule is in place--uM seems to have zero control over scripts, even if it's only for a single scope. Just asking if you think this is correct.
That doesn't sound right. Since redirects are involved, I would suggest checking this with the µMatrix logger.
(The uBlock Origin logger's documentation might also help you understand how to use the µMatrix logger - https://github.com/gorhill/uBlock/wiki/ ... cific-page)

First, without "* * script allow" - open the logger, then go through the steps that would reproduce the issue. Note which scripts are blocked.

Then add back "* * script allow" and reproduce the issue.

Compare blocked scripts between the two runs.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: µMatrix thread

Post by kukla »

barbaz wrote:That doesn't sound right. Since redirects are involved, I would suggest checking this with the µMatrix logger.
(The uBlock Origin logger's documentation might also help you understand how to use the µMatrix logger - https://github.com/gorhill/uBlock/wiki/The-logger#accessing-popup-ui-of-a-specific-page)

First, without "* * script allow" - open the logger, then go through the steps that would reproduce the issue. Note which scripts are blocked.

Then add back "* * script allow" and reproduce the issue.

Compare blocked scripts between the two runs.
Can't get to this right now using the logger, but basically have already done as much. Without ** script allow, the redirects get stopped dead in their tracks, and two urls with scripts don't even appear in the matrix. So based on knowing which AOL urls/scripts appear to be involved, with ** script allow present I turned those two urls in the matrix dark red + their scripts and reloaded the page. But regardless, the redirects continued on logout.

Would love to post screenshots to illustrate, but now I'm even getting a message from Firefox that it can't find the server at s9.tinypic.com from which the code should issue. And isitdownrightnow confirms that the server is down for everyone. And don't want to start messing again with imgur. Btw, do you know of another free image hosting service that offers embedding code that doesn't require an account or sign up? Actually tried one before, but it was rejected for spamming, and I couldn't excise the offending part of the code.

But what "doesn't sound right?" That I can't successfully block those two urls when ** script allow is present? You mean I should be able to make a successful exception for that AOL scope? I tried any number of times and just couldn't find a way to block those scripts.

Will try the logger tomorrow when I have a bit more time.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: µMatrix thread

Post by barbaz »

kukla wrote:But what "doesn't sound right?" That I can't successfully block those two urls when ** script allow is present? You mean I should be able to make a successful exception for that AOL scope?
Exactly. Try it out on http://isjavascriptenabled.com/: (Temp-)Allow the site in NoScript, add "* * script allow" to µMatrix, then play around with the µMatrix popup and reload the page to see the effect.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: µMatrix thread

Post by kukla »

Hey barbaz, thanks for the suggestion to check that JS site enabled or not. Result: with * * script allow and the site temporarily allowed in NS, I was able to block the script from uM. I can't explain why this isn't working for me with AOL. I've checked and rechecked my results any number of times, even tried blocking a script which I thought might be responsible that only appears on logout, and the bottom line is still the only way I can stop the JS redirects is to remove * * script allow. (If I could post screenshots, that might be more informative, or just be more confusing for you, but TinyPic is still AWOL. Will look into some other image hosting sites, and maybe get something going with those.)

Haven't tried the logger, and perhaps that would yield some valuable clues, or not, but I'm just getting too tired of staying down this rabbit hole with uMatrix. Been spending an inordinate amount of time with it, and now that I have a relatively decent (at least beginning) grasp of how it works, I'm just satisfied with leaving the script blocking to uM without * * script allow (and NS, to whatever extent they work together.) I'm very pleased with the granularity of control of scripts and other items that can be achieved with uM. Would never have been able to block those redirects any other way, so at least that's taken care of.

But there is one more thing: the following are all the possibly relevant rules, now with * * script allow removed. No idea, but perhaps you'll find something in there, maybe some contradiction, or something causing some kind of interference, that accounts for what's been happening:

* * * block
* * css allow
* * frame block
* * image allow
* * other block
* 1st-party * allow
* 1st-party frame allow
adblockplus.org adblockplus.org script allow
aol.com 1st-party frame block
aol.com api.gxp.aol.com script block
aol.com api.gxp.aol.com xhr block
aol.com at.atwola.com frame block
aol.com b.aol.com image block
aol.com cdn.at.atwola.com frame block
aol.com mail.aol.com frame block
aol.com mail.aol.com image block
aol.com mail.aol.com script allow
aol.com membernotifications.aol.com script block
aol.com my.screenname.aol.com script allow
aol.com s.aolcdn.com image block
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
Post Reply