Codesandbox.io does not work with uMatrix & Firefox

Question

Codesandbox.io does not work with uMatrix & Firefox

bennettdams opened this issue 5 years ago · 10 comments

Prerequisites

I performed a cursory search of the issue tracker to avoid opening a duplicate issue
- Your issue may already be reported.
- I also searched the existing issues at https://github.com/gorhill/uMatrix/issues
This is not a support issue or a question
- Support issues and questions are handled at /r/uMatrix
I tried to reproduce the issue when...
- uMatrix is the only extension
- uMatrix with default lists/settings
- using a new, unmodified browser profile
I am running the latest version of uMatrix
I checked the documentation to understand that the issue I report is not a normal behavior
I used the logger to rule out that the issue is caused by my ruleset

Description

uMatrix prevents Codesandbox in Firefox from working.
Even disabling all rules via the extension does not help.
Only disabling uMatrix itself via Firefox makes Codesandbox work again.

A specific URL where the issue occurs

https://codesandbox.io
https://codesandbox.io/s/happy-worker-43fgl?file=/src/App.js

Steps to Reproduce

Go to provided link with uMatrix extension disabled via Firefox
You can see the application in the sandbox is working
Enable uMatrix extension via Firefox
Go to provided link again
Change something in the code (e. g. replace <h1>uMatrix Test</h1> with something else)
Save (CTRL + S)
Reload the page
Even with ALL rules disabled (including spoofing etc.), the application in the sandbox will not work (only a white screen where the application is supposed to be)

Ruleset

Even happens when all rules are disabled.

Supporting evidence

NOT working -> disabled all rules in the extension

WORKING -> disabled uMatrix via Firefox

Some console errors from Codesandbox, but you better check them yourself:

Your environment

uMatrix version: 1.4.0
Browser Name and version: Firefox 76.0 (64-bit)
Operating System and version: Windows 10 - 1909 - 64-bit

Answer 1 · 2020-05-06T21:34:38.000Z

Open the logger, set the page selector to behind-the-scene/tabless, does it block anything ?

Also can you reproduce this in the dev build ?

Answer 2 · 2020-05-06T21:51:05.000Z

I could make the demo work with these rules:

43fgl.csb.app codesandbox.io * allow
43fgl.csb.app jsdelivr.com * allow
43fgl.csb.app jsdelivr.net * allow
codesandbox.io csb.app * allow
codesandbox.io csb.app frame allow
codesandbox.io csbops.io * allow

There is a worker involved here and thus it was necessary to use the logger to find out what was blocked behind the scene.

You didn't check the box " I used the logger to rule out that the issue is caused by my ruleset". Why?

Answer 3 · 2020-05-06T21:54:18.000Z

I can't reproduce it even with all blocked rules on dev build.

Answer 4 · 2020-05-06T21:54:55.000Z

I don't know what to read out of the logger to be honest.

Your rules may work for this sandbox, but the 43fgl.csb.app is the "dynamic" part of the sandbox and will be different for every sandbox, so it won't work in the future.

Answer 5 · 2020-05-06T22:00:23.000Z

so it won't work in the future

I do warn on the front page of the project:

Regarding broken sites

uMatrix does not guarantee that sites will work fine: it is for advanced users who can figure how to un-break sites, because essentially uMatrix is a firewall which works in relaxed block-all/allow-exceptionally mode out of the box: it is not unexpected that sites will break.

So this means do not file issues to report broken sites when the sites are broken because uMatrix does its job as expected. I will close any such issue without further comment.

Using uMatrix logger is key to un-break sites: the logger will show you all that uMatrix does internally.

So if you want sites to work out of the box, uMatrix is not for you.

Answer 6 · 2020-05-06T22:13:20.000Z

Thanks @gorhill, got it working with
csb.app codesandbox.io * allow.
Just codesandbox.io csb.app * allow was not enough.
Didn't know the order matters, no way to see that with the extension UI.

Answer 7 · 2020-05-06T22:17:57.000Z

Didn't know the order matters

https://github.com/gorhill/uMatrix/wiki/The-popup-panel:

Preamble: The core of uMatrix is the sum of all your rules -- i.e. your ruleset. All rules are of the form:
source destination type action

Answer 8 · 2020-05-06T23:36:20.000Z

By the way, if you are still willing to use uMatrix, there are improvements in the current dev build which makes it easier to create rules from the logger.

Answer 9 · 2020-05-06T23:55:44.000Z

Of course I am! I'm using uMatrix for 2 years now, but this was the first time I actually needed to add a rule manually like this.

Before that I always used the popup panel. In this particular case, the popup panel did not show what was blocked. Even disabling "matrix filtering" via the popup panel didn't help.

The xhr from 43fgl.csb.app were green in the popup panel, but red in the logger:

I don't know why this is not shown in the popup panel, but now I'm aware of the logger feature for the next time.

Answer 10 · 2020-05-07T00:02:17.000Z

I don't know why this is not shown in the popup panel

The popup panel's scope is codesandbox.io, the request that is blocked occurs in the 43fgl.csb.app scope, so it can't be reported in the codesandbox.io scope. But the logger lets you lookup whatever scope from which a request is fired, while the popup panel shows you only the scope of the current page.

Those requests fired from within scope other than that of the current page occurs typically when workers are in use.