CodeMirror/uMatrix
1
0
Fork 0
mirror of https://github.com/gorhill/uMatrix.git synced 2024-06-02 18:34:52 +12:00
Code Issues Releases Wiki Activity

Updated Per scope switches (markdown)

gorhill 2014-11-22 03:59:30 -08:00
parent 108520be7c
commit b12cf9a657
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Per-scope-switches.md

@ -34,8 +34,6 @@ Also, notice that now I use the term "spoofing". Whereas before the referrer str
### Strict HTTPS
**Edit 2014-11-21:** After I updated to Chromium 38 yesterday, I just found out that now apparently Chromium forbids mixed content by default. When there is mixed content on a web page, a little shield icon will appear in the address bar, and a user may click on it to load the content which was forbidden from loading natively by the browser. However, as [investigated by a user](https://github.com/gorhill/uMatrix/issues/67), this applies **only** to request of type `script`.
First, if you are not familiar with what is "mixed content", here are some places to learn more about it:
- [Mozilla Developer Network: Mixed Content](https://developer.mozilla.org/en-US/docs/Security/MixedContent)
@ -46,6 +44,8 @@ When the _"Strict HTTPS"_ switch is turned on, mixed content will be forbidden.
_"Strict HTTPS"_ is more then to just protect MITM attack. Without _"Strict HTTPS"_, data-mining by 3rd-parties can still occur, as evil ISPs like Verizon et al. could still inject tagging information in the HTTP headers of outgoing net requests which are not done through encrypted connections.
After I updated to Chromium 38 on 2014-11-21, I found out that Chromium 38 forbids mixed content by default. When there is mixed content on a web page, a little shield icon will appear in the address bar, and a user may click on it to load the content which was forbidden from loading natively by the browser. However, as [investigated by a user](https://github.com/gorhill/uMatrix/issues/67), this does not apply to image, video and audio resources.
To witness _"Strict HTTPS"_ at work, visit the encrypted version of Wired's [Threat Post](https://threatpost.com/), which suffers (at time of writing, 2014-11) from mixed content:
![Mixed content foiled](https://raw.githubusercontent.com/gorhill/uMatrix/master/doc/img/strict-https-at-work.png)