How to block **all** conditional network accesses?

[Rudxain]

I was reading about CSS-exfil, and that got me thinking: "What if we just block all conditional CSS requests, and all (conditional or not) JS requests?". Essentially, only allow HTML (including iframes) to trigger requests (possibly excluding elements with loading=lazy attribute), and only allow CSS to trigger unconditional requests. Since JS is Turing-Complete, all requests must be blocked, because static-analysis would be expensive and impossible.

Sadly, there are limitations: For JS (and Wasm), fetch and XHR aren't the only ways to use the network, there's also WebRTC and WebSockets, and possibly other (more obscure) APIs.

I already block JS and frames by default, but it'd be nice to allow them for some domains while still blocking the network. Is there some way to do that reliably?

And yes, I'm aware that JS sometimes "recursively" loads other scripts, which in turn load other assets. But let's pretend that isn't an inconvenience

[krystian3w]

I think this is currently not possible without extending the uBo modifiers somehow, as it goes beyond the added header= / method=.

Regarding the attempt at integration CSS-exfil to uBO, it has the status of decline declined declined (I won't help you with the ticket ID (reporter may be shadowbanned by Microsoft) and about 2 approaches to the problem), converting the add-on to global replace= may not be optimal.