InformAction Forums

Are there any plans to implement CNAME uncloaking like uBlock Origin since version 1.25.0?

Why?

At the moment, changing the preset for a domain may have effects that are very implicit and often not wanted. For example, by setting a domain to trusted you may implicitely set Eulerian, Criteo and the like to trusted as well. CNAME uncloaking would make that more visible and offer more granular control over what to allow and what not to allow.

musonius wrote: ↑Thu May 28, 2020 9:35 am CNAME uncloaking would make that more visible

Good point, optional CNAME uncloaking would be useful as purely informational for the user, to help user decide what to allow and not. Especially if the Full Domains option gets re-introduced.

musonius wrote: ↑Thu May 28, 2020 9:35 am and offer more granular control over what to allow and what not to allow.

No. NoScript would be worse off if it actually block/allow based on CNAME uncloaking.

uBlock Origin has that feature for user control reason. NoScript's permissions are domain-based already; CNAME uncloaking doesn't provide any additional control or granularity. And the feature in uBlock Origin caused my filters to break the internet. I had to disable it.

The real-world use cases I've seen for this are privacy-related. NoScript is a security tool, not a privacy tool. In terms of security, attackers compromising DNS records use IP addresses, not CNAME's, so this won't help.

Also, in the case of NoScript, this will make it much harder to browse without having CDNs like Akamai, Cloudfront etc. always set to TRUSTED, thereby allowing more content from lots of sources and making some users' browsing less secure.

Thanks for your insightful answer!

barbaz wrote: ↑Thu May 28, 2020 3:20 pm Good point, optional CNAME uncloaking would be useful as purely informational for the user, to help user decide what to allow and not. Especially if the Full Domains option gets re-introduced.

I would not activate it as default because it makes things too complicated indeed. I share your experience with uBlock Origin in that regard. But I'd like to have the information and eventually be able to activate blocking domains based on CNAME uncloaking optionally. At least that's what I thought until reading and thinking through your comment.

After thinking through your answer I think you are right. Nevertheless, I'd still prefer to have more information than there is at the moment. To see what is blocked (script, media, frame, ...) certainly has the higher priority, but I'd really be interested in seeing the CNAMEs as well.

barbaz wrote: ↑Thu May 28, 2020 3:20 pmuBlock Origin has that feature for privacy reasons

No, I added this feature in uBO for informed consent and control reason. uBO is not a "privacy tool", this is reductive, uBO is a wide spectrum content blocker which features and especially advanced features has both privacy and security benefits. That someone decides to trust `liberation.fr` does not mean that trust extend to `eulerian.net` -- and this is the sort of advanced control I decided to put in user hands, they get to decide whether they block for privacy, security or whatever else reason they chose.

gorhill wrote: ↑Fri May 29, 2020 2:54 pm

barbaz wrote: ↑Thu May 28, 2020 3:20 pmuBlock Origin has that feature for privacy reasons

No, I added this feature in uBO for informed consent and control reason.

Thanks, I edited my post to correct this.