You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

633 lines
22 KiB

10 years ago
7 years ago
uMatrix - a browser extension to black/white list requests.
Copyright (C) 2014-present Raymond Hill
10 years ago
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see {}.
'use strict';
10 years ago
// Start isolation from global scope
µMatrix.webRequest = (function() {
// Intercept and filter web requests according to white and black lists.
var onBeforeRootFrameRequestHandler = function(details) {
let µm = µMatrix;
let desURL = details.url;
let desHn = µm.URI.hostnameFromURI(desURL);
let type = requestTypeNormalizer[details.type] || 'other';
let tabId = details.tabId;
10 years ago
µm.tabContextManager.push(tabId, desURL);
10 years ago
let tabContext = µm.tabContextManager.mustLookup(tabId);
let srcHn = tabContext.rootHostname;
// Disallow request as per matrix?
let blocked = µm.mustBlock(srcHn, desHn, type);
10 years ago
let pageStore = µm.pageStoreFromTabId(tabId);
pageStore.recordRequest(type, desURL, blocked);
7 years ago
pageStore.perLoadAllowedRequestCount = 0;
pageStore.perLoadBlockedRequestCount = 0;
µm.logger.writeOne({ tabId, srcHn, desHn, desURL, type, blocked });
// Not blocked
if ( !blocked ) {
let redirectURL = maybeRedirectRootFrame(desHn, desURL);
if ( redirectURL !== desURL ) {
7 years ago
return { redirectUrl: redirectURL };
10 years ago
// Blocked
let query = btoa(JSON.stringify({ url: desURL, hn: desHn, type, why: '?' }));
10 years ago
vAPI.tabs.replace(tabId, vAPI.getURL('main-blocked.html?details=') + query);
return { cancel: true };
10 years ago
7 years ago
var maybeRedirectRootFrame = function(hostname, url) {
let µm = µMatrix;
if ( µm.rawSettings.enforceEscapedFragment !== true ) { return url; }
let block1pScripts = µm.mustBlock(hostname, hostname, 'script');
let reEscapedFragment = /[?&]_escaped_fragment_=/;
if ( reEscapedFragment.test(url) ) {
return block1pScripts ? url : url.replace(reEscapedFragment, '#!') ;
if ( block1pScripts === false ) { return url; }
let pos = url.indexOf('#!');
if ( pos === -1 ) { return url; }
let separator = url.lastIndexOf('?', pos) === -1 ? '?' : '&';
return url.slice(0, pos) +
separator + '_escaped_fragment_=' +
url.slice(pos + 2);
// Intercept and filter web requests according to white and black lists.
var onBeforeRequestHandler = function(details) {
let µm = µMatrix,
µmuri = µm.URI,
desURL = details.url,
desScheme = µmuri.schemeFromURI(desURL);
if ( µmuri.isNetworkScheme(desScheme) === false ) { return; }
let type = requestTypeNormalizer[details.type] || 'other';
// Wherever the main doc comes from, create a receiver page URL: synthetize
// one if needed.
if ( type === 'doc' && details.parentFrameId === -1 ) {
return onBeforeRootFrameRequestHandler(details);
10 years ago
// Re-classify orphan HTTP requests as behind-the-scene requests. There is
// not much else which can be done, because there are URLs
// which cannot be handled by µMatrix, i.e. `opera://startpage`,
10 years ago
// as this would lead to complications with no obvious solution, like how
// to scope on unknown scheme? Etc.
let tabContext = µm.tabContextManager.mustLookup(details.tabId),
tabId = tabContext.tabId,
srcHn = tabContext.rootHostname,
desHn = µmuri.hostnameFromURI(desURL),
docURL = details.documentUrl,
specificity = 0;
if ( docURL !== undefined ) {
// Extract context from initiator for behind-the-scene requests.
if ( tabId < 0 ) {
srcHn = µmuri.hostnameFromURI(µm.normalizePageURL(0, docURL));
// Workaround of weird Firefox behavior: when a service worker exists
// for a site, the `doc` requests when loading a page from that site
// are not being made: this potentially prevents uMatrix to properly
// keep track of the context in which requests are made.
else if (
details.parentFrameId === -1 &&
docURL !== tabContext.rawURL
) {
srcHn = µmuri.hostnameFromURI(µm.normalizePageURL(0, docURL));
let blocked = µm.tMatrix.mustBlock(srcHn, desHn, type);
if ( blocked ) {
specificity = µm.tMatrix.specificityRegister;
10 years ago
10 years ago
// Record request.
// The way requests are handled now, it may happen at this point some
// processing has already been performed, and that a synthetic URL has
// been constructed for logging purpose. Use this synthetic URL if
// it is available.
let pageStore = µm.mustPageStoreFromTabId(tabId);
// Enforce strict secure connection?
if ( && µmuri.isSecureScheme(desScheme) === false ) {
pageStore.hasMixedContent = true;
if ( blocked === false ) {
blocked = µm.tMatrix.evaluateSwitchZ('https-strict', srcHn);
pageStore.recordRequest(type, desURL, blocked);
if ( µm.logger.enabled ) {
µm.logger.writeOne({ tabId, srcHn, desHn, desURL, type, blocked });
10 years ago
if ( blocked ) {
pageStore.cacheBlockedCollapsible(type, desURL, specificity);
return { 'cancel': true };
10 years ago
// Sanitize outgoing headers as per user settings.
10 years ago
var onBeforeSendHeadersHandler = function(details) {
let µm = µMatrix,
µmuri = µm.URI,
desURL = details.url,
desScheme = µmuri.schemeFromURI(desURL);
10 years ago
8 years ago
// Ignore non-network schemes
if ( µmuri.isNetworkScheme(desScheme) === false ) { return; }
10 years ago
// Re-classify orphan HTTP requests as behind-the-scene requests. There is
// not much else which can be done, because there are URLs
// which cannot be handled by HTTP Switchboard, i.e. `opera://startpage`,
// as this would lead to complications with no obvious solution, like how
// to scope on unknown scheme? Etc.
let tabId = details.tabId,
pageStore = µm.mustPageStoreFromTabId(tabId),
srcHn = pageStore.pageHostname,
desHn = µmuri.hostnameFromURI(desURL),
requestType = requestTypeNormalizer[details.type] || 'other',
requestHeaders = details.requestHeaders;
10 years ago
// Is this hyperlink auditing?
// If yes, create a synthetic URL for reporting hyperlink auditing
// in request log. This way the user is better informed of what went
// on.
// Target URL = the href of the link
// Doc URL = URL of the document containing the target URL
// Ping URLs = servers which will be told that user clicked target URL
// `Content-Type` = `text/ping` (always present)
// `Ping-To` = target URL (always present)
// `Ping-From` = doc URL
// `Referer` = doc URL
// request URL = URL which will receive the information
// With hyperlink-auditing, removing header(s) is pointless, the whole
// request must be cancelled.
let headerIndex = headerIndexFromName('ping-to', requestHeaders);
if ( headerIndex !== -1 ) {
let headerValue = requestHeaders[headerIndex].value;
if ( headerValue !== '' ) {
let blocked = µm.userSettings.processHyperlinkAuditing;
pageStore.recordRequest('other', desURL + '{Ping-To:' + headerValue + '}', blocked);
µm.logger.writeOne({ tabId, srcHn, desHn, desURL, type: 'ping', blocked });
if ( blocked ) {
µm.hyperlinkAuditingFoiledCounter += 1;
return { 'cancel': true };
// If we reach this point, request is not blocked, so what is left to do
// is to sanitize headers.
let modified = false;
// Process `Cookie` header.
10 years ago
headerIndex = headerIndexFromName('cookie', requestHeaders);
if (
headerIndex !== -1 &&
µm.mustBlock(srcHn, desHn, 'cookie')
) {
modified = true;
let headerValue = requestHeaders[headerIndex].value;
requestHeaders.splice(headerIndex, 1);
if ( requestType === 'doc' ) {
header: { name: 'COOKIE', value: headerValue },
change: -1
10 years ago
// Process `Referer` header.
10 years ago
9 years ago
// "The user agent MAY include an Origin header field in any HTTP
// "request.
// "The user agent MUST NOT include more than one Origin header field in
// "any HTTP request.
// "Whenever a user agent issues an HTTP request from a "privacy-
// "sensitive" context, the user agent MUST send the value "null" in the
// "Origin header field."
// Do not spoof `Origin` header for the time being.
// For non-GET requests, remove `Referer` header instead of spoofing it.
headerIndex = headerIndexFromName('referer', requestHeaders);
if ( headerIndex !== -1 ) {
let headerValue = requestHeaders[headerIndex].value;
if ( headerValue !== '' ) {
let toDomain = µmuri.domainFromHostname(desHn);
if ( toDomain !== '' && toDomain !== µmuri.domainFromURI(headerValue) ) {
pageStore.has3pReferrer = true;
if ( µm.tMatrix.evaluateSwitchZ('referrer-spoof', srcHn) ) {
modified = true;
let newValue;
if ( details.method === 'GET' ) {
newValue = requestHeaders[headerIndex].value =
desScheme + '://' + desHn + '/';
} else {
requestHeaders.splice(headerIndex, 1);
if ( pageStore.perLoadBlockedReferrerCount === 0 ) {
pageStore.perLoadBlockedRequestCount += 1;
header: { name: 'REFERER', value: headerValue },
change: -1
if ( newValue !== undefined ) {
header: { name: 'REFERER', value: newValue },
change: +1
pageStore.perLoadBlockedReferrerCount += 1;
7 years ago
if ( modified !== true ) { return; }
return { requestHeaders: requestHeaders };
10 years ago
// To prevent inline javascript from being executed.
// Prevent inline scripting using `Content-Security-Policy`:
// This fixes:
var onHeadersReceived = function(details) {
// Ignore schemes other than 'http...'
let µm = µMatrix,
tabId = details.tabId,
requestURL = details.url,
requestType = requestTypeNormalizer[details.type] || 'other',
headers = details.responseHeaders;
// Check if the main_frame is a download
if ( requestType === 'doc' ) {
µm.tabContextManager.push(tabId, requestURL);
let contentType = typeFromHeaders(headers);
if ( contentType !== undefined ) {
details.type = contentType;
return onBeforeRootFrameRequestHandler(details);
10 years ago
let tabContext = µm.tabContextManager.lookup(tabId);
if ( tabContext === null ) { return; }
10 years ago
let csp = [],
cspReport = [],
srcHn = tabContext.rootHostname,
desHn = µm.URI.hostnameFromURI(requestURL);
// Inline script tags.
if ( µm.mustBlock(srcHn, desHn, 'script' ) ) {
10 years ago
// Inline style tags.
if ( µm.mustBlock(srcHn, desHn, 'css' ) ) {
if ( µm.tMatrix.evaluateSwitchZ('no-workers', srcHn) ) {
} else if ( µm.rawSettings.disableCSPReportInjection === false ) {
7 years ago
if ( csp.length === 0 && cspReport.length === 0 ) { return; }
// Inject a new CSP header rather than modify an existing one, except
// if the current environment does not support merging headers:
// Firefox 58/webext and less can't merge CSP headers, so we will merge
// them here.
9 years ago
if ( csp.length !== 0 ) {
7 years ago
let cspRight = csp.join(', ');
let cspTotal = cspRight;
if ( µm.cantMergeCSPHeaders ) {
7 years ago
let i = headerIndexFromName(
if ( i !== -1 ) {
cspTotal = headers[i].value.trim() + ', ' + cspTotal;
headers.splice(i, 1);
7 years ago
name: 'Content-Security-Policy',
value: cspTotal
if ( requestType === 'doc' ) {
header: { name: 'CSP', value: cspRight },
change: +1
if ( cspReport.length !== 0 ) {
7 years ago
let cspRight = cspReport.join(', ');
let cspTotal = cspRight;
if ( µm.cantMergeCSPHeaders ) {
7 years ago
let i = headerIndexFromName(
if ( i !== -1 ) {
cspTotal = headers[i].value.trim() + ', ' + cspTotal;
headers.splice(i, 1);
7 years ago
name: 'Content-Security-Policy-Report-Only',
value: cspTotal
9 years ago
return { responseHeaders: headers };
10 years ago
7 years ago
window.addEventListener('webextFlavor', function() {
if ( vAPI.webextFlavor.soup.has('firefox') === false ) { return; }
if ( vAPI.webextFlavor.major <= 57 ) {
µMatrix.cspNoWorker =
"child-src 'none'; frame-src data: blob: *; report-uri about:blank";
if ( vAPI.webextFlavor.major <= 58 ) {
µMatrix.cantMergeCSPHeaders = true;
}, { once: true });
10 years ago
// Caller must ensure headerName is normalized to lower case.
var headerIndexFromName = function(headerName, headers) {
var i = headers.length;
while ( i-- ) {
if ( headers[i].name.toLowerCase() === headerName ) {
return i;
return -1;
// Extract request type from content headers.
let typeFromHeaders = function(headers) {
let i = headerIndexFromName('content-type', headers);
if ( i === -1 ) { return; }
let mime = headers[i].value.toLowerCase();
if ( mime.startsWith('image/') ) { return 'image'; }
if ( mime.startsWith('video/') || mime.startsWith('audio/') ) {
return 'media';
10 years ago
var requestTypeNormalizer = {
'font' : 'css',
10 years ago
'image' : 'image',
8 years ago
'imageset' : 'image',
'main_frame' : 'doc',
8 years ago
'media' : 'media',
'object' : 'media',
'other' : 'other',
'script' : 'script',
'stylesheet' : 'css',
'sub_frame' : 'frame',
'websocket' : 'xhr',
'xmlhttprequest': 'xhr'
10 years ago
10 years ago = {
extra: [ 'blocking' ],
callback: onBeforeRequestHandler
10 years ago
10 years ago = {
extra: [ 'blocking', 'requestHeaders' ],
callback: onBeforeSendHeadersHandler
10 years ago
10 years ago = {
urls: [ 'http://*/*', 'https://*/*' ],
types: [ 'main_frame', 'sub_frame' ],
10 years ago
extra: [ 'blocking', 'responseHeaders' ],
callback: onHeadersReceived
10 years ago
Use a `http-equiv` `meta` tag to enforce CSP directives for documents
which protocol is `file:` (which do not cause our webRequest.onHeadersReceived
handler to be called).
Idea borrowed from NoScript:
(function() {
if (
typeof self.browser !== 'object' ||
typeof browser.contentScripts !== 'object'
) {
let csRules = [
name: 'script',
file: '/js/contentscript-no-inline-script.js',
pending: undefined,
registered: undefined,
mustRegister: false
let csSwitches = [
name: 'no-workers',
file: '/js/contentscript-no-workers.js',
pending: undefined,
registered: undefined,
mustRegister: false
let register = function(entry) {
if ( entry.pending !== undefined ) { return; }
entry.pending = browser.contentScripts.register({
js: [ { file: entry.file } ],
matches: [ 'file:///*' ],
runAt: 'document_start'
result => {
if ( entry.mustRegister ) {
entry.registered = result;
entry.pending = undefined;
( ) => {
entry.registered = undefined;
entry.pending = undefined;
let unregister = function(entry) {
if ( entry.registered === undefined ) { return; }
entry.registered = undefined;
let handler = function(ev) {
let matrix = ev && ev.detail;
if ( matrix !== µMatrix.tMatrix ) { return; }
for ( let cs of csRules ) {
cs.mustRegister = matrix.mustBlock('file-scheme', 'file-scheme',;
if ( cs.mustRegister === (cs.registered !== undefined) ) { continue; }
if ( cs.mustRegister ) {
} else {
for ( let cs of csSwitches ) {
cs.mustRegister = matrix.evaluateSwitchZ(, 'file-scheme');
if ( cs.mustRegister === (cs.registered !== undefined) ) { continue; }
if ( cs.mustRegister ) {
} else {
window.addEventListener('matrixRulesetChange', handler);
10 years ago
var start = function() {;
10 years ago
10 years ago
return {
10 years ago
start: start
10 years ago