LocalCDN still useful in FPI/dFPI mode? #732

Closed
opened 10 months ago by bdzbzbbdgf · 7 comments

Hi, according to arkenfox's wiki

  • Decentraleyes, LocalCDN
    • Third parties are already isolated if you use FPI/dFPI. [...]

Is this correct and one doesn't need to use LocalCDN in FPI/dFPI mode?

Hi, according to arkenfox's [wiki](https://github.com/arkenfox/user.js/wiki/4.1-Extensions#small_orange_diamond-dont-bother) > * Decentraleyes, LocalCDN > * Third parties are already isolated if you use FPI/dFPI. [...] Is this correct and one doesn't need to use LocalCDN in FPI/dFPI mode?
nobody added the
question/discussion
label 10 months ago
Owner

Hi, good question 👍

From my point of view, it makes sense and you should use both. The reason is that they are two different things. FPI and dFPI isolating external resources on the client side. But it doesn't prevent anything that happens on the server side and it doesn't prevent the request itself.

You can use both together and in cases where LocalCDN can't work (e.g. SOP), you have (d)FPI as a kind of fallback.

Additionally: The fact that many websites use external scripts makes these CDNs a highly potential target for attacks. There has been a case where a malicious script was injected into the CDN system (July 2021 - www.bleepingcomputer.com).

Hi, good question 👍 From my point of view, it makes sense and you should use both. The reason is that they are two different things. FPI and dFPI isolating external resources on the client side. But it doesn't prevent anything that happens on the server side and it doesn't prevent the request itself. You can use both together and in cases where LocalCDN can't work (e.g. [SOP](https://codeberg.org/nobody/LocalCDN/wiki#7-1-sop)), you have (d)FPI as a kind of fallback. Additionally: The fact that many websites use external scripts makes these CDNs a highly potential target for attacks. There has been a case where a malicious script was injected into the CDN system (July 2021 - [www.bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/critical-cloudflare-cdn-flaw-allowed-compromise-of-12-percent-of-all-sites/)).

Ok, if using FPI/dFPI doesn't prevent the server side call/(or rather "home calls"), then arkenfox's wiki should be more precise and LocalCDN is not Don't Bother....
The security aspect if a CDN is hacked is a nice side effect.

Regarding SOP, is there a way to have automatically a popup/messagebox appear when a Cross-Origin Request Blocked: The Same Origin ... error appears in the console log, so one knows instantly that a website isn't working correctly? Otherwise one has to look consciously at the console log all the time when visiting a website to see for errors.

Ok, if using FPI/dFPI doesn't prevent the server side call/(or rather "home calls"), then arkenfox's wiki should be more precise and LocalCDN is not `Don't Bother...`. The security aspect if a CDN is hacked is a nice side effect. Regarding SOP, is there a way to have automatically a popup/messagebox appear when a `Cross-Origin Request Blocked: The Same Origin ...` error appears in the console log, so one knows instantly that a website isn't working correctly? Otherwise one has to look consciously at the console log all the time when visiting a website to see for errors.
Owner

Ok, if using FPI/dFPI doesn't prevent the server side call/(or rather "home calls"), then arkenfox's wiki should be more precise and LocalCDN is not Don't Bother....

Yes, I think so too. On the other hand, I wouldn't recommend this extension to everyone, because a user should know what's going on.

Regarding SOP, is there a way to have automatically a popup/messagebox appear when a Cross-Origin Request Blocked: The Same Origin ... error appears in the console log, so one knows instantly that a website isn't working correctly?

Unfortunately not, because this is a security feature and as far as I know isn't triggered by the browser tab but by the browser itself. As far as I know, an extension doesn't have access to that.

The SOP problems should be rare by now because there was a great change in Firefox 89.0a1 (see #369). Personally, I haven't had any SOP errors for a long time, but that doesn't have to be true for everyone because browsing behavior is extremely individual.

> Ok, if using FPI/dFPI doesn't prevent the server side call/(or rather "home calls"), then arkenfox's wiki should be more precise and LocalCDN is not Don't Bother.... Yes, I think so too. On the other hand, I wouldn't recommend this extension to everyone, because a user should know what's going on. > Regarding SOP, is there a way to have automatically a popup/messagebox appear when a Cross-Origin Request Blocked: The Same Origin ... error appears in the console log, so one knows instantly that a website isn't working correctly? Unfortunately not, because this is a security feature and as far as I know isn't triggered by the browser tab but by the browser itself. As far as I know, an extension doesn't have access to that. The SOP problems should be rare by now because there was a great change in Firefox 89.0a1 (see [#369](https://codeberg.org/nobody/LocalCDN/issues/369)). Personally, I haven't had any SOP errors for a long time, but that doesn't have to be true for everyone because browsing behavior is extremely individual.

Was following https://bugzilla.mozilla.org/show_bug.cgi?id=1419459, but I see there's https://bugzilla.mozilla.org/show_bug.cgi?id=1694679, which indeed is great.

I think im going to open an issue regarding their Third parties are already isolated if you use FPI/dFPI statement, because the main purpose of LocalCDN is to prevent calls to certain CDN servers (if the CDN is in the mappings file) and keeping calls local, which FPI/dFPI does not do.

Was following https://bugzilla.mozilla.org/show_bug.cgi?id=1419459, but I see there's https://bugzilla.mozilla.org/show_bug.cgi?id=1694679, which indeed is great. I think im going to open an [issue](https://github.com/arkenfox/user.js/issues) regarding their `Third parties are already isolated if you use FPI/dFPI` statement, because the main purpose of LocalCDN is to prevent calls to certain CDN servers (if the CDN is in the mappings file) and keeping calls local, which FPI/dFPI does not do.
Owner

Feel free to do that 👍

Maybe the already existing Issues are helpful:

https://github.com/arkenfox/user.js/issues?q=is%3Aissue+localcdn

Feel free to do that 👍 Maybe the already existing Issues are helpful: https://github.com/arkenfox/user.js/issues?q=is%3Aissue+localcdn

Nothing under the already existing issues, but thanks for the suggestion.

Conclusion: Their wiki is completely incorrect on this issue (can you believe it, so many stars there, but can't get their wiki right. Who knows what else isn't right, say, their main one, user.js).

I'm closing this issue as it's clear now and FPI/dFPI doesn't prevent CDN connections, but LocalCDN does (only to those CDNs, who are in the mappings file (mentioning this one extra, because some people may think that it covers all CDNs)).

Thanks again.

Nothing under the already existing issues, but thanks for the suggestion. Conclusion: Their wiki is completely incorrect on this issue (can you believe it, so many stars there, but can't get their wiki right. Who knows what else isn't right, say, their main one, `user.js`). I'm closing this issue as it's clear now and FPI/dFPI doesn't prevent CDN connections, but LocalCDN does (only to those CDNs, who are in the [mappings](https://codeberg.org/nobody/LocalCDN/src/branch/main/core/mappings.js) file (mentioning this one extra, because some people may think that it covers all CDNs)). Thanks again.
bdzbzbbdgf closed this issue 10 months ago
Owner

Thanks for trying to correct this. I've read the wiki and the issues. They recommend to use uBlock in hard mode (Enumerating Goodness) and allow the CDN connections manually and individually. In the issue he writes:

Third parties, CDN or not, are a potential tracking/linking vector.

That's contradictory in my opinion.

Anyway, there will be always people who think that one is better than the other. Extensions are a sensitive topic (similar to browsers, operating systems or systemd). There will never be a perfect way and the user must find the best possible solution for himself and for his individual case.

Thanks for trying to correct this. I've read the wiki and the issues. They recommend to use uBlock in hard mode (Enumerating Goodness) and allow the CDN connections manually and individually. In the issue he writes: > Third parties, CDN or not, are a potential tracking/linking vector. That's contradictory in my opinion. Anyway, there will be always people who think that one is better than the other. Extensions are a sensitive topic (similar to browsers, operating systems or systemd). There will never be a perfect way and the user must find the best possible solution for himself and for his individual case.
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: nobody/LocalCDN#732
Loading…
There is no content yet.