Irregular requests to a blocked site

[cernekj]

When I do action like "go backwards" or "reload current page" than uMatrix doesn't work (irregulary). I can not figure it out for a couple of months, but it happens. I see it in my outgoing network connections log (firewall), that Firefox make requests to a sites blocked in the uMatrix. Usually it is a google-analytics.com, googletagmanager.com etc.
Sadly I cann't define and describe it properly here, like a proper bug report. But it is something to look at for a developers and give attention, because it is a data leak.

How to reproduce it:

1. create a general domain blocking rule e.g. google-analytics.com
2. use application firewall, http proxy etc. with logging enabled
3. browse web sites like usual
4. from time to time (daily just few times in my case), there will be a request to blocked site in the log...

Tech. info:
I use uMatrix 0.9.3.6 with referrer and UA spoof.
And Firefox 45 with Javascript: enabled; Cookies: enabled; Java: disabled; Plugins: none; Extensions: many, but tested as unrelated to the problem; Cache: enabled.

[gorhill]

You will need to make a much better report, it's laking the "make the case" part -- and lacking a whole lots of details, like all the settings in uMatrix. It's also lacking all the "ruling out" steps. Did you rule out that the network requests were made by other extensions? Did you rule out the network requests were from behind-the-scene (for which matrix filtering is not enabled by default)? Etc.

Make the case -- this forces people to challenge their own conclusions before opening an invalid issue.

[cernekj]

So, as I had wrote, firefox extensions are unrelated (all disabled except uMatrix).

uMatrix rules:

matrix-off: about-scheme true
matrix-off: behind-the-scene true
matrix-off: chrome-extension-scheme true
matrix-off: chrome-scheme true
matrix-off: localhost true
matrix-off: opera-scheme true
* 1st-party * allow

Site with quite unique blocked contents to test:

1. open www.lidl.cz -> no requests to 3rd party sites (browser-update.org and googletagmanager.com), in the uMatrix logger you can see blocked scripts of 3rd party sites.
2. click on some link (stay on the same site) -> no requests to 3rd party, in logger still shown red.
3. click backward button in the Firefox -> it will requests browser-update.org and googletagmanager.com sites, in logger still shown as red.

Tested on different Operation systems.

[cernekj]

and sorry, but I have no idea what "behind-the-scene" requests means...

[gorhill]

I followed your steps 1-3 above, and I could see browser-update.org and googletagmanager.com in wireshark. However I decided to repeat to be sure I did not forget anything, and now I can't reproduce again.

If you have other sites with similar steps, that would help.

[cernekj]

It's tricky, I know :-) I was not sure about the bug for a months. So I haven't file it earlier.
Sorry, I don't have more sites for now. On lidl.cz it happens just more often, but not always. On other sites never, etc.
I will let know if I will find other "good" site.

More people will watch it, better chance to find it, so people, please...

[gorhill]

I could reproduce other instances. Typical output from wireshark:

10591   9.693043000  localhost => www-googletagmanager.l.google.com  TCP 74 39775 > http [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1237539 TSecr=0 WS=128
10594   9.694512000  localhost => browser-update.org                 TCP 74 39741 > http [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1237540 TSecr=0 WS=128
10629   9.760605000  browser-update.org => localhost                 TCP 66 http > 39741 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=1024
10630   9.760633000  localhost => browser-update.org                 TCP 54 39741 > http [ACK] Seq=1 Ack=1 Win=29312 Len=0
10645   9.779102000  www-googletagmanager.l.google.com => localhost  TCP 74 http > 39775 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1430 SACK_PERM=1 TSval=2060224099 TSecr=1237539 WS=128
10646   9.779126000  localhost => www-googletagmanager.l.google.com  TCP 66 39775 > http [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1237561 TSecr=2060224099
14398  14.761331000  localhost => browser-update.org                 TCP 54 39741 > http [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0
14414  14.779743000  browser-update.org => localhost                 TCP 54 http > 39741 [FIN, ACK] Seq=1 Ack=2 Win=29696 Len=0
14415  14.779767000  localhost => browser-update.org                 TCP 54 39741 > http [ACK] Seq=2 Ack=2 Win=29312 Len=0
14512  15.761213000  localhost => www-googletagmanager.l.google.com  TCP 66 39775 > http [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1239056 TSecr=2060224099

I did check that network.dns.disablePrefetch is set to true and network.prefetch-next is set to false in about:config.

I further tested and I could reproduce instances while the dev console for the page was opened with the Network tab in "Persistent log" mode, and this points out toward a Firefox issue: while wireshark was showing the above, there was no matching instances of connections reported in the Network pane by Firefox. I also tried with the browser console, and same result.

In summary, Firefox appears to be establishing connections to these servers without going through its extensions API, or despite the network requests having been cancelled through the extensions API. It also appears to maybe be related to in-memory browser cache -- not sure though.

[gorhill]

I can reproduce pretty consistently with Firefox.

I haven't been able to reproduce with Chromium. This reinforces that this is a Firefox-specific issue.

[kirill9000]

@gorhill Did you try with network.http.speculative-parallel-limit set to 0 and network.predictor.enabled to false?

[pkrasimirov]

@gorhill Please untag "invalid" for this issue.

[Atavic]

For googletagmanager:

List of iframes included
http://www.googletagmanager.com/ns.html?id=GTM-KS7LJN

See: https://sitecheck.sucuri.net/results/www.lidl.cz#sitecheck-details