Some scripts run when disabled

[FocusedFox]

Prerequisites

• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
• This is not a support issue or a question
  • Support issues and questions are handled at /r/uMatrix
• I tried to reproduce the issue when...
  • uMatrix is the only extension
  • uMatrix with default lists/settings
  • using a new, unmodified browser profile
• I am running the latest version of uMatrix
• I checked the documentation to understand that the issue I report is not a normal behavior

Description

Scripts can run on Firefox using onerror attributes of html tags, even when scripts are disabled.

A specific URL where the issue occurs

No URL - local test

Steps to Reproduce

1. Create an html page containing the following code:

<script>function evil(){alert('evil')}</script>
<img src="404.png" onerror="evil()">

2. Disable scripts globally using uMatrix
3. Load the html page
4. Observe an alert window created by javascript

Supporting evidence

No evidence due to privacy concerns

Your environment

• uMatrix version: 1.3.15b0
• Browser Name and version: Firefox 60.2.0esr
• Operating System and version: Debian stretch 9.5

[uBlock-user]

Observe an alert window created by javascript

That's because uMatrix blocks javascripts by setting a CSP policy for javascript execution and doesn't disable them entirely, by-design behavior.

CSP policy can only be set for webpages, not local html files.

[uBlock-user]

@gorhill when * * script block rule is used, the CSP policy set for blocking javascript in uMatrix is script-src 'unsafe-eval' blob: * instead of script-src 'none', any specific reason as to why ?

[FocusedFox]

CSP policy can only be set for webpages, not local html files.

I wasn't clear here. The issue is valid for pages on web servers.

[uBlock-user]

The issue is valid for pages on web servers.

which do you mean ?

[uBlock-user]

Duplicate of gorhill/uMatrix#589

See gorhill's reply - gorhill/uMatrix#589 (comment)

[gorhill]

The issue is valid for pages on web servers.

So why not provide an actual URL -- as asked -- to such web page?

A specific URL where the issue occurs

No URL - local test

[FocusedFox]

After more testing I found that I can't reproduce the bug on a clean profile (maybe I didn't realize that global settings can't be set using the GUI with the current beta version).

The issue was a result of CanvasBlocker add-on installed alongside uMatrix.

@gorhill You may want to warn people about the incompatibility.
Here is a page if you want to test the issue yourself: https://focusedfox.github.io/browser-test/umatrix-onerror.html

[gorhill]

The issue is a Firefox bug which is broader than just with CanvasBlocker specifically. See https://bugzilla.mozilla.org/show_bug.cgi?id=1477696.

[theWalkingDuck]

CanvasBlocker uses CSP only for blocking data URIs.
Disable blocking data URIs in CanvasBlocker and you can use it together with uMatrix.

CanvasBlocker settings

• check Expert mode
  and under "Misc"
• uncheck the Block data URL pages