show number of blocked resources on toolbar icon

Question

show number of blocked resources on toolbar icon

hraban opened this issue 8 years ago · 2 comments

e.g. like µblock origin.

Answer 1 · 2016-12-19T15:09:31.000Z

This is never expected to happen: blocked resources imply either misconfiguration or an actual prevented XSS attack. Both are not good and unexpected. Unlike for example an adblocker doing its job, outbound-rules blocking anything is not actually a good situation to be in.

Answer 2 · 2016-12-20T15:21:41.000Z

to elaborate on that previous comment: the following will happen when a resource is blocked:

the site won't work
if it's a user of the site, not the developer, they will spend ages trying to figure out what happened,
if they do realize it's the plugin's fault, they will blame the plugin for breaking the site. not for protecting them
they will actually probably be right. I wager >99% of breakage will be misconfiguration
if they get used to the fact they can't easily tell if the plugin is breaking things or not, they will get used to blaming random breakage on the plugin,
if it's the developer of the site, they will think of a million things to check before realizing the cause of breakage is this plugin. I made the bloody thing and I forget it myself.
everyone will hate the plugin when it works.

to remedy this, it must be very clear:

to users:

that the plugin is protecting them from a potential attack,
that if anything doesn't work, it might be the plugin (to reduce the amount of frustration that might later be blamed on the plugin when they realize that COULD be it, regardless of whether it's true---reality doesn't matter, only perception of reality does),
that they can turn the plugin off (but that they shouldn't (but they can (but they really shouldn't (but it's a plugin, not a cop, you're a grown person, you can do it (but please please don't)))))))
that the plugin is doing its job, it's the configuration of the site that's broken. or it's an actual attack (which, if you think about it, is also an instance of a broken site :) ). either way they should let the owner of the site know, somehow. if they can. it's important.

to developers:

that the plugin is blocking something (this rarely happens so you quickly forget about it)
that it might be an attack
what resources the plugin is blocking
what the outbound-rules header is for this site
what it should be if this resource is trusted

Finally, it must be very very clear to both parties when the plugin is not blocking anything. So if something is broken, they can immediately rule out the plugin.