Some sites JavaScript still blocked when turning off all filtering due to Content-Security-Policy (Firefox)

[tmsbrg]

Firefox versions:
Firefox 57.0.1
Firefox nightly 58.0b12

Reproduce:

1. Start Firefox with uMatrix enabled
2. Go to https://www.thezdi.com/blog/2017/12/20/invariantly-exploitable-input-an-apple-safari-bug-worth-revisiting (for example)
3. Use uMatrix UI to "disable matrix filtering for this scope"
4. Reload the page
5. (Also: Note that no resources are being blocked in the uMatrix log)

Expected result:

• Images on the page will load just as if uMatrix were disabled (images are loaded in through JavaScript)

Actual result:

• Images on page will not load and console is full of errors about Content-Security-Policy blocking certain resources, even though page sets no CSP headers

Screenshots:

I've also seen this for some other websites (notably https://www.gog.com/game/spacechem but for some reason here it only seems to trigger on Firefox 57.0.1, not nightly)

Another note, when restarting with Firefox addons disabled this CSP seems to stay active until cache is cleared (confusingly this issue ONLY happens when "restarting with addons disabled" from the help menu, not when simply disabling or removing uMatrix from about:addons. Might be a Firefox bug)

On #firefox IRC I heard that NoScript had a similar issue with setting its own CSP on sites. Also someone was able to reproduce this issue on both Firefox versions.

This issue was also reported by another user on Reddit: https://www.reddit.com/r/uMatrix/comments/7k2hvc/content_security_policy_stops_website_working/ who also noticed the CSP staying when uMatrix is disabled in some cases

[gorhill]

Force a reload using the shift key please, to bypass browser cache.

[tmsbrg]

I was afraid there'd be something stupid I'm missing. Shift+reload fixes the issue. It's somewhat confusing with Firefox shortcuts as I tried shift+f5 but it didn't do anything. Apparently a full reload in Firefox is ctrl+shift+r.

So this is a bit of combination of things that confused me into not finding the simple caching issue. I was genuinely stumped though, not knowing what to do to fix these sites. At first I thought it was an actual CSP problem, especially when "restart with addons disabled" and refreshing did not work. Oh well, too bad. At least now I know what to look for when this happens.

[gorhill]

On my side Shift-F5 is enough, or to be sure, Shift-click uMatrix's own reload button in the popup panel.

Bugzilla entry for issue here: https://bugzilla.mozilla.org/show_bug.cgi?id=1376932

[Remu-rin]

It's somewhat confusing with Firefox shortcuts as I tried shift+f5 but it didn't do anything. Apparently a full reload in Firefox is ctrl+shift+r.

And also ctrl+F5 if you like.
Normal reload: ctrl+R or F5
Reload without cache: ctrl+shift+R or ctrl+F5

[gorhill]

Actually, I see the bugzilla issue has a workaround in it, and I think I will consider implementing it.

[TriMoon]

Just confirming i don't have any issues when visiting the link in OP using FF-Nightly 59.0a1 (20171223100103)

[ssokolow]

I'm experiencing what may be the same issue in Firefox Developer Edition 59.0b11.

I haven't had time to verify in detail but it seems that, every time I enable scripting for a page, the Reload button has no effect unless I force a cache bypass.

[TurboDuke77]

Problem persists in Firefox 59.0.2 and uMatrix 1.3.4

I have all scripts default blocked and the release changes on calibre site are not displayed, because i blocked scripts:
https://calibre-ebook.com/whats-new

if i deactive uMatrix and reload, still blocked scripts!
I need to shift reload in uMatrix to fix the reload problem.