bypassing CSP/noscript extensions #24
Description
Singled out this extension for allowing sites with content-security policy (CSP) or users with noscript extensions (e.g. uMatrix) to bypass restrictions.
- install Smart HTTPS
- install uMatrix
- Disable script on uMatrix
note: step 2 and 3 are the same as a page denying script from a certain source via Content security policy headers (CSP). But no site deny "self" for script-src to make testing convenient (you will need onError event triggering scripts loaded from another domain to see the problem with CSP) - visit a page that have onError on a Script that is not blocked by uMatrix, such as https://medicalxpress.com/news/2018-09-scientists-personality-based.html
what I expect: for scripts on the page to NOT run as I blocked them.
what happens: the onError triggers a script block on the page, that should have not been executed. On that page this is specially broken since the page will try to create yet another script tag with the same onError attribute, causing CPU usage to skyrocket.
I still haven't debugged where the problem is exactly, but i can resolve 100% by disabling this extension.