InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

How can i stop xhr traffic?

https://forums.informaction.com/viewtopic.php?t=22059

Page 1 of 1

How can i stop xhr traffic?

Posted: Thu Aug 04, 2016 12:26 pm
by Guest
Is it possible to block (deny) traffic generated by Firefox like this:

Code: Select all

POST 
http://ocsp.digicert.com/ [HTTP/1.1 200 OK 38ms]
GET 
https://tracking-protection.cdn.mozilla.net/mozstd-track-digest256/1458772625 [HTTP/1.1 200 Connection established 85ms]
GET 
https://tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/1458772625 [HTTP/1.1 200 OK 190ms]
POST 
XHR 
https://incoming.telemetry.mozilla.org/submit/telemetry/ebc3a706-1a89-4346-8a10-67fda841f98d/main/Firefox/48.0/release/20160726073904 [HTTP/1.1 200 Connection established 425ms]
POST 
http://ocsp.digicert.com/ [HTTP/1.1 200 OK 43ms]
GET 
XHR 
https://aus5.mozilla.org/update/3/GMP/48.0/20160726073904/Linux_x86_64-gcc3/en-US/release/Linux%204.6.0-1-amd64%20(GTK%203.20.6%2Clibpulse%209.0.0)/default/default/update.xml [HTTP/1.1 200 Connection established 401ms]
POST 
http://ocsp.digicert.com/
This is xhr as you can see. I would prefer to stop it with ABE. I made this attempt and that should stop all traffic (?)

Code: Select all

Site ocsp.digicert.com
Deny
But this doesn't stop digicert.

I also recognized that websites use xhr. How can i stop that?

P.S.: I am using a standard NoScript install. No mods.
Digicert is whitelisted.
Cache is clean.
I have only Site > deny rules in my ABE user.

Re: How can i stop xhr traffic?

Posted: Thu Aug 04, 2016 4:19 pm
by barbaz
Same story as this: viewtopic.php?f=23&t=22026

Also:
1) Blocking OCSP is leaving you vulnerable. It's there for good reason.
2) Blocking tracking protection list is leaving you, er, trackable. Isn't that something you have to explicitly opt into?
3) Blocking telemetry will mean that you can't submit browser statistics to Mozilla.
4) Blocking Firefox update means you have to manually download and install updates.

The correct way to block (2), (3), and (4) is to disable it in Firefox preferences. (1) can also be disabled but doing so is probably stupid.


EDIT And also the other xhr is requesting a gecko media plugin. Can't remember how to disable GMP downloads in Firefox preferences (I thought I did at one point?), but again, better that way than trying to use a CSRF blocker against non-forged requests.

Re: How can i stop xhr traffic?

Posted: Sat Aug 06, 2016 12:48 am
by Thrawn
barbaz wrote:Blocking OCSP is leaving you vulnerable. It's there for good reason.
Actually, contacting OCSP servers is indeed a known tracking weakness, as well as undermining the usefulness of OCSP. OCSP stapling was invented because of the shortcomings of that approach.

Re: How can i stop xhr traffic?

Posted: Sun Aug 07, 2016 9:52 am
by Guest
Thrawn wrote:
barbaz wrote:Blocking OCSP is leaving you vulnerable. It's there for good reason.
Actually, contacting OCSP servers is indeed a known tracking weakness, as well as undermining the usefulness of OCSP. OCSP stapling was invented because of the shortcomings of that approach.
Indeed.

I stop ocsp via Privoxy. NS can't.
NS can't even stop Firefox from contacting mozilla or google URLs. Privoxy, uBlock origin, uMatrix can.

Re: How can i stop xhr traffic?

Posted: Sun Aug 07, 2016 6:05 pm
by barbaz
Because NoScript is a security tool, not a privacy tool.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited