How can i stop xhr traffic?

Discussions about the Application Boundaries Enforcer (ABE) module
Guest

How can i stop xhr traffic?

Post by Guest » Thu Aug 04, 2016 12:26 pm

Is it possible to block (deny) traffic generated by Firefox like this:

Code: Select all

POST 
http://ocsp.digicert.com/ [HTTP/1.1 200 OK 38ms]
GET
https://tracking-protection.cdn.mozilla.net/mozstd-track-digest256/1458772625 [HTTP/1.1 200 Connection established 85ms]
GET
https://tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/1458772625 [HTTP/1.1 200 OK 190ms]
POST
XHR
https://incoming.telemetry.mozilla.org/submit/telemetry/ebc3a706-1a89-4346-8a10-67fda841f98d/main/Firefox/48.0/release/20160726073904 [HTTP/1.1 200 Connection established 425ms]
POST
http://ocsp.digicert.com/ [HTTP/1.1 200 OK 43ms]
GET
XHR
https://aus5.mozilla.org/update/3/GMP/48.0/20160726073904/Linux_x86_64-gcc3/en-US/release/Linux%204.6.0-1-amd64%20(GTK%203.20.6%2Clibpulse%209.0.0)/default/default/update.xml [HTTP/1.1 200 Connection established 401ms]
POST
http://ocsp.digicert.com/


This is xhr as you can see. I would prefer to stop it with ABE. I made this attempt and that should stop all traffic (?)

Code: Select all

Site ocsp.digicert.com
Deny


But this doesn't stop digicert.

I also recognized that websites use xhr. How can i stop that?

P.S.: I am using a standard NoScript install. No mods.
Digicert is whitelisted.
Cache is clean.
I have only Site > deny rules in my ABE user.
Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

barbaz
Senior Member
Posts: 9788
Joined: Sat Aug 03, 2013 5:45 pm

Re: How can i stop xhr traffic?

Post by barbaz » Thu Aug 04, 2016 4:19 pm

Same story as this: viewtopic.php?f=23&t=22026

Also:
1) Blocking OCSP is leaving you vulnerable. It's there for good reason.
2) Blocking tracking protection list is leaving you, er, trackable. Isn't that something you have to explicitly opt into?
3) Blocking telemetry will mean that you can't submit browser statistics to Mozilla.
4) Blocking Firefox update means you have to manually download and install updates.

The correct way to block (2), (3), and (4) is to disable it in Firefox preferences. (1) can also be disabled but doing so is probably stupid.


EDIT And also the other xhr is requesting a gecko media plugin. Can't remember how to disable GMP downloads in Firefox preferences (I thought I did at one point?), but again, better that way than trying to use a CSRF blocker against non-forged requests.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: How can i stop xhr traffic?

Post by Thrawn » Sat Aug 06, 2016 12:48 am

barbaz wrote:Blocking OCSP is leaving you vulnerable. It's there for good reason.

Actually, contacting OCSP servers is indeed a known tracking weakness, as well as undermining the usefulness of OCSP. OCSP stapling was invented because of the shortcomings of that approach.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.1.1

Guest

Re: How can i stop xhr traffic?

Post by Guest » Sun Aug 07, 2016 9:52 am

Thrawn wrote:
barbaz wrote:Blocking OCSP is leaving you vulnerable. It's there for good reason.

Actually, contacting OCSP servers is indeed a known tracking weakness, as well as undermining the usefulness of OCSP. OCSP stapling was invented because of the shortcomings of that approach.


Indeed.

I stop ocsp via Privoxy. NS can't.
NS can't even stop Firefox from contacting mozilla or google URLs. Privoxy, uBlock origin, uMatrix can.
Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0

barbaz
Senior Member
Posts: 9788
Joined: Sat Aug 03, 2013 5:45 pm

Re: How can i stop xhr traffic?

Post by barbaz » Sun Aug 07, 2016 6:05 pm

Because NoScript is a security tool, not a privacy tool.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply