Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday October 23 2017, @09:09AM   Printer-friendly
from the Digital-Arms-Race dept.

Submitted via IRC for TheMightyBuzzard

The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.

CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.

CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.

[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.

Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Anonymous Coward on Monday October 23 2017, @09:21AM (34 children)

    by Anonymous Coward on Monday October 23 2017, @09:21AM (#586246)

    If ublock is preventing the browser from enforcing CSP stuff like "please let me know if the user's browser is removing ads/malware/crapware" then that's what I want ublock to do.

    Seems like the people designing CSP added a bit of overreach: https://mathiasbynens.be/notes/csp-reports [mathiasbynens.be]

    Now, whenever someone visits your site, and his browser blocks scripts, styles, fonts, or other resources based on your CSP configuration, it makes an HTTP POST request to /csp-hotline.php passing along a JSON-formatted report of the violation.

    To me it's only an issue if the CSP limits an iframe to certain things but ublock somehow makes the CSP more lenient and the iframe can suddenly run more dangerous stuff.

    So the real news here is CSP doing stuff that is less likely to protect the user, which to me deviates from what it CSP was originally supposed to do - protect users from malicious 3rd party content:

    prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.

    Starting Score:    0  points
    Moderation   +5  
       Insightful=3, Informative=2, Total=5
    Extra 'Insightful' Modifier   0  

    Total Score:   5  
  • (Score: 2, Insightful) by Anonymous Coward on Monday October 23 2017, @10:18AM (30 children)

    by Anonymous Coward on Monday October 23 2017, @10:18AM (#586252)

    deviates from what it CSP was originally supposed to do - protect users from malicious 3rd party content:

    Are you really that naive?
    Anyone who wants to protect users from "malicious 3rd party content" can do it in an instant: just stop serving to users 3rd party content. Or if he/she/it really cares about security, here a trivial, reliable solution: stop forcing users to run shitty javascripts on security-sensitive pages. Just stop.
    Anything else, is security theater for gullible fools. With an additional aim to screw them once more.

    • (Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @11:22AM (27 children)

      by Anonymous Coward on Monday October 23 2017, @11:22AM (#586273)
      Are you really that stupid?

      You = first party
      Soylentnews/Webmail = second party
      Message you are reading = third party

      Different browsers could interpret "Message you are reading" differently. The HTML/etc escaping/filtering library used by the second party site might also interpret it differently.

      CSP is supposed to be the "brake pedal" while the W3C keep coming up with "Go Pedals". In the days before CSP to prevent bad stuff from happening second party sites have to make sure all the Go Pedals are not pressed. But what about future Go Pedals?

      By having something like CSP you could say "No javascript allowed here" and all browsers that support CSP in a sane way would not allow javascript in that place even if the W3C came up with new "Go Pedals" in the future and javascript got past the site's escaping library (whether due to the library not taking new stuff into account or the browser not implementing things the same way).
      • (Score: 1, Insightful) by Anonymous Coward on Monday October 23 2017, @12:31PM (1 child)

        by Anonymous Coward on Monday October 23 2017, @12:31PM (#586300)

        By having something like CSP you could say "No javascript allowed here" and all browsers that support CSP in a sane way would not allow javascript in that place even if the W3C came up with new "Go Pedals" in the future and javascript got past the site's escaping library (whether due to the library not taking new stuff into account or the browser not implementing things the same way).

        And what does that have to do with the browser reporting back to the site?

        • (Score: 0) by Anonymous Coward on Monday October 23 2017, @01:38PM

          by Anonymous Coward on Monday October 23 2017, @01:38PM (#586318)
          That's what you should ask the CSP designers who added that "feature".
      • (Score: 1, Insightful) by Anonymous Coward on Monday October 23 2017, @01:57PM (1 child)

        by Anonymous Coward on Monday October 23 2017, @01:57PM (#586322)

        Different browsers could interpret "Message you are reading" differently. The HTML/etc escaping/filtering library used by the second party site might also interpret it differently.

        And if you are concerned about security, you do not offer a crazy attack surface, to then play at "mitigation". You do plain things in plain ways and avoid corner cases and do not do any clever shit.
        Then you've no need to invent crap excuses with "pedals" and other series of tubes.

        • (Score: 0) by Anonymous Coward on Monday October 23 2017, @05:14PM

          by Anonymous Coward on Monday October 23 2017, @05:14PM (#586418)
          Tell that to the W3C and browser developers.
      • (Score: 5, Insightful) by Runaway1956 on Monday October 23 2017, @02:59PM (21 children)

        by Runaway1956 (2926) Subscriber Badge on Monday October 23 2017, @02:59PM (#586353) Journal

        I don't now how stupid GP might be - but you're not making any points with your post. Third party hosting of anything introduces potential exploits. Stop using third party anything at all. Just stop. And, DO NOT expect my browser to make any kind of reports to any of those third parties. It ain't happening.

        Want to know what happens when your site doesn't work on my computer? Noscript warns me that two CDN's and four ad companies all want to run code on my machine, along with a couple dozen other sites that I don't even recognize. (alright, so maybe I recognize some of them, but I often see sites that are complete mysteries) So, what do I do? I just close the damned tab. Whatever brought me to your site just isn't important enough for me to run script written by aliens from Andromeda. Or, Lizard people. Or, NSA goons. Your shit just isn't that impressive, so I close the tab, and you've lost a hit.

        I hope your children all die of starvation due to people like me, who just close the fucking tab.

        • (Score: 2) by Pino P on Monday October 23 2017, @03:12PM (18 children)

          by Pino P (4721) on Monday October 23 2017, @03:12PM (#586361) Journal

          So, what do I do? I just close the damned tab.

          If the only provider (or all providers) of a particular kind of good or service to your area requires use of a third-party script, such as Google reCAPTCHA as an anti-botspam measure, do you instead do without that good or service? For example, if the local electric power utility offers a choice of electronic ACH payment with third-party scripts or check payment with a $5 per month surcharge for a paper bill, do you instead accept the surcharge?

          • (Score: 2) by Runaway1956 on Monday October 23 2017, @05:16PM (15 children)

            by Runaway1956 (2926) Subscriber Badge on Monday October 23 2017, @05:16PM (#586420) Journal

            Neither. I can go to my bank, and set up a recurring periodic payment. If my bank didn't provide that service, then I would probably be in contact with $monopoly about their billing practices. I would seriously consider dropping the service that $monopoly provides. I would most definitely be searching for alternatives.

            Funny that you imply that it is alright for the $monoploy to use coercion, to force me to conform to their preferred business and billing practices. That coercion, in some people's minds, might justify some questionably legal measures as punishment. Now that I think about it, I haven't visited 4chan or any of Anonymous various haunts in some time now . . . Tell me, how do you feel about someone, such as Anonymous, coercing $monopoly to use fair business and billing practices?

            • (Score: 2) by Pino P on Monday October 23 2017, @05:57PM (14 children)

              by Pino P (4721) on Monday October 23 2017, @05:57PM (#586455) Journal

              I can go to my bank, and set up a recurring periodic payment.

              How does your bank know how much of the utility you used in order to know how much to pay the utility?

              I would seriously consider dropping the service that $monopoly provides. I would most definitely be searching for alternatives.

              In a city in the industrialized world, what's the alternative to electric power, running water, or wired Internet? Solar, a well, and satellite Internet aren't adequate substitutes for everyone.

              • (Score: 0) by Anonymous Coward on Monday October 23 2017, @07:14PM (8 children)

                by Anonymous Coward on Monday October 23 2017, @07:14PM (#586496)

                An easier example is your comment is third party content to Runaway and everyone else reading it.

                And he got modded 5 insightful for saying stuff like:

                Stop using third party anything at all.

                Runaway and those who modded him up don't realize that most comments in SN are third party content.

                Looks like lots of people here don't know much about IT security.

                They don't seem to realize that quite a lot of things are done to make a third party comment safe to be read, while allowing Unicode (😀 ), bold text, hyperlinks, etc.
                See: http://websec.github.io/unicode-security-guide/character-transformations/ [github.io]

                Sometimes those things fail and stuff gets through.

                🛑

                • (Score: 2) by Pino P on Monday October 23 2017, @07:40PM (5 children)

                  by Pino P (4721) on Monday October 23 2017, @07:40PM (#586512) Journal

                  Runaway and those who modded him up don't realize that most comments in SN are third party content.

                  Perhaps the intent was "Stop using third-party active content, such as third-party JavaScript and third-party WebAssembly." Or perhaps it was "Stop using content for which a third party can log requests, such as third-party images, third-party fonts, and third-party iframes."

                  Take <img> for example. If an HTML document transcludes an image using the <img> element, the operator of a server can see the IPv4 or IPv6 address of the person, the URL of the document that transcludes the image (Referer:), and whatever other identifying information the browser ends up including in HTTP headers. The possibility of this sort of tracking is part of why third-party content on SoylentNews (that is, the comments) doesn't allow the <img> element.

                  • (Score: 0) by Anonymous Coward on Monday October 23 2017, @08:15PM (1 child)

                    by Anonymous Coward on Monday October 23 2017, @08:15PM (#586540)

                    You still don't get it. How does your site know what third party content is active and what isn't? It's not magic. Something has to decide and filter out the active and tracking stuff. Like the img tags. You want the comments to be static and have no tracking stuff but how do you achieve it while allowing other features? You use filters and other methods.

                    Those filters may not be perfect and stuff is not always handled the same by different browsers- compare firefox and chrome rendering of the subject line of this comment: https://soylentnews.org/comments.pl?noupdate=1&sid=22181&page=1&cid=586530#commentwrap [soylentnews.org]

                    The filters might work well enough today. But will they work in the future as the browser makers keep adding stuff (and sometimes differently)?

                    Stuff like CSP was supposed to be second layer of defense. So when the filters fail the browsers might still not run the active/tracking stuff. Because the site told the browser "there's not supposed to be any active stuff in the comments".

                    • (Score: 2) by Pino P on Tuesday October 24 2017, @01:41PM

                      by Pino P (4721) on Tuesday October 24 2017, @01:41PM (#586841) Journal

                      How does your site know what third party content is active and what isn't?

                      If a particular media type is capable of running an unvetted computer program, it is active content. This means application/javascript is active, and text/html is also active because it can contain a <script> element that transcludes a resource of type application/javascript.

                      Something has to decide and filter out the active and tracking stuff. Like the img tags.

                      Many consider the <img> elements to be benign because they do not cause the browser to run an unvetted computer program.

                      Stuff like CSP was supposed to be second layer of defense.

                      I agree. But not all third-party content is equal. Some is trusted by the site owner but not necessarily by the viewer, such as scripts associated with third-party analytics and third-party advertising. Some is trusted by neither, such as comments. Things like CSP are primarily aimed at the "trusted by neither" case, though the Report-Only part is for resources trusted by the site owner.

                  • (Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @08:41PM (2 children)

                    by Anonymous Coward on Monday October 23 2017, @08:41PM (#586560)

                    Perhaps the intent was "Stop using third-party active content

                    Intent? The browser ultimately decides what is active content. Not you, not Runaway, nor the site's filters. Without stuff like CSP the browser can't know anything about the site's intent.

                    You may wish for the content to be static but something has to enforce that. If that stuff doesn't succeed, what you and the site thinks should be static content could still be considered by the browser to be active content.

                    Hackers try to find exploitable differences/gaps between the filters and the various browsers.

                    • (Score: 2) by urza9814 on Tuesday October 24 2017, @01:14PM (1 child)

                      by urza9814 (3954) on Tuesday October 24 2017, @01:14PM (#586832) Journal

                      You have the browser block third-party content. Period.

                      Soylent comments are NOT third-party content in that context. They're served directly from SoylentNews.org.

                      Sure, you could drop an iframe or script tag in there...but either you're linking to another page on SoylentNews.org, which I already trust, or you're linking to a third-party website, which my browser won't load. Of course, Soylent rightly blocks those tags to begin with, so that's kind of a moot point anyway.

                      And if the site is done properly, "new features" won't really matter. You whitelist allowed tags in user content, you don't blacklist potentially harmful ones. And you can also use things like doctype tags to tell the browser which version of the spec to use when interpreting the page, so if new versions of the specs add new features it doesn't matter because your page is fixed to one specific version.

                      • (Score: 3, Touché) by Pino P on Tuesday October 24 2017, @01:51PM

                        by Pino P (4721) on Tuesday October 24 2017, @01:51PM (#586847) Journal

                        And you can also use things like doctype tags to tell the browser which version of the spec to use when interpreting the page

                        The HTML5 doctype is <!DOCTYPE HTML>. This tag doesn't include a version. Or what am I missing?

                        Even the HTML 4 doctype didn't include versions of standards included by reference, such as a CSS version or a Unicode version.

                • (Score: 1, Interesting) by Anonymous Coward on Monday October 23 2017, @07:59PM

                  by Anonymous Coward on Monday October 23 2017, @07:59PM (#586530)

                  Whose filters are perfect AND will stay perfect as the various consortiums and groups keep adding stuff?

                • (Score: 0) by Anonymous Coward on Monday October 23 2017, @08:20PM

                  by Anonymous Coward on Monday October 23 2017, @08:20PM (#586546)

                  They don't seem to realize that quite a lot of things are done to make a third party comment safe to be read, while allowing Unicode (😀 ), bold text, hyperlinks, etc.

                  If you got a trojaned font installed on your system, websites are least of your problems.
                  If a website downloads a trojaned font onto your system, it should be unable to when doing anything secure.

                  Security is NOT when you get extensive training in how to juggle dynamite sticks. Security is when you do not juggle them AT ALL.

              • (Score: 2) by urza9814 on Tuesday October 24 2017, @01:04PM (4 children)

                by urza9814 (3954) on Tuesday October 24 2017, @01:04PM (#586828) Journal

                I can go to my bank, and set up a recurring periodic payment.

                How does your bank know how much of the utility you used in order to know how much to pay the utility?

                This is a standard service that many banks offer. The utility sends you a bill, you go to your bank's website and type in the amount, and they transfer the payment.

                And if your bank requires third party scripts for that, you get a new bank that has a clue about security.

                • (Score: 2) by Pino P on Tuesday October 24 2017, @01:47PM (3 children)

                  by Pino P (4721) on Tuesday October 24 2017, @01:47PM (#586845) Journal

                  This is a standard service that many banks offer. The utility sends you a bill, you go to your bank's website and type in the amount, and they transfer the payment.

                  Until you get to banks that offer different tiers of checking accounts, one with bill payment and the other without, and require a larger minimum balance to avoid a monthly service fee for the one with bill payment than for the other without.

                  And if your bank requires third party scripts for [bill payment], you get a new bank that has a clue about security.

                  Before I create an account at a bank, how do I go about seeing whether its web application for logged-in account holders requires the use of a script from a different domain? Or would you recommend that I go through the process of creating an account, set up online access, and then go through the process of closing my account once I discover that online access requires the use of a script from a different domain?

                  • (Score: 2) by urza9814 on Tuesday October 24 2017, @03:05PM (2 children)

                    by urza9814 (3954) on Tuesday October 24 2017, @03:05PM (#586892) Journal

                    Until you get to banks that offer different tiers of checking accounts, one with bill payment and the other without, and require a larger minimum balance to avoid a monthly service fee for the one with bill payment than for the other without.

                    If your bank sucks, pick a better one. I don't see the problem here...

                    Before I create an account at a bank, how do I go about seeing whether its web application for logged-in account holders requires the use of a script from a different domain? Or would you recommend that I go through the process of creating an account, set up online access, and then go through the process of closing my account once I discover that online access requires the use of a script from a different domain?

                    You could always ask them. If they get enough requests for that info, they'll probably start marketing it. But I've never seen a bank that requires third-party scripts anyway, it seems like pretty poor security practices. So judge their competency the same way you would with anything else.

                    • (Score: 2) by Pino P on Wednesday October 25 2017, @09:06PM (1 child)

                      by Pino P (4721) on Wednesday October 25 2017, @09:06PM (#587566) Journal

                      If your bank sucks, pick a better one. I don't see the problem here...

                      The problem is that all banks suck. They just suck in different ways.

                      • (Score: 2) by urza9814 on Thursday October 26 2017, @12:28PM

                        by urza9814 (3954) on Thursday October 26 2017, @12:28PM (#587774) Journal

                        So use a credit union. I've got all my money with PSECU and they're fuckin awesome. I don't think I've ever paid them a dime...no overdraft fees, no ATM fees (even ATM fees charged by other banks get refunded), no checking or debit fees, no credit card fees, no fees for the bill payer. No real minimum balance (It's $5)...and at the end of every year they pay me just for having an account.

          • (Score: 2) by stretch611 on Monday October 23 2017, @08:00PM

            by stretch611 (6199) on Monday October 23 2017, @08:00PM (#586531)

            Maybe instead of trusting 3rd party scripts people should write their own damn code.

            Even if you rely on that bloat garbage known as jQuery, maybe you should host a copy yourself.

            Even stuff like analytics can be replicated... if it is difficult for you to track which pages a client reads on your site, maybe you should learn to program. Logs are simple.

            I admit that some times I do use 3rd party tools for in my development, but everything gets copied and hosted locally. In addition to security, it prevents something on my site breaking if a new release comes out. I can test the new release before updating the code.

            No, you can't host things like facebook's like button locally, but the idea here is to stop web tracking.

            The only exception I can think of at the moment is something like Google Maps and Re-captcha. Obviously maps is a huge undertaking, but you can always use the open version, or do it the old fashion way and open a link in a window. As for Re-captcha, a popular site probably needs it for bot prevention, on small scale sites, even simple math filters (e.g. 3 + 4 = (answer here) do a good job preventing most spam bots.

            --
            Now with 5 covid vaccine shots/boosters altering my DNA :P
          • (Score: 2) by urza9814 on Tuesday October 24 2017, @01:02PM

            by urza9814 (3954) on Tuesday October 24 2017, @01:02PM (#586826) Journal

            if the local electric power utility offers a choice of electronic ACH payment with third-party scripts or check payment with a $5 per month surcharge for a paper bill, do you instead accept the surcharge?

            Every utility I've ever seen charges an extra fee for *electronic* payments, not for paper ones. That's why I still mail out checks every month...I'm not paying a damn "processing fee" to help them reduce their staffing costs...

        • (Score: 0) by Anonymous Coward on Monday October 23 2017, @06:08PM

          by Anonymous Coward on Monday October 23 2017, @06:08PM (#586464)

          Why then are you even on Soylent News? Most comments here are 𝕋𝕙𝕚𝕣𝕕 ℙ𝕒𝕣𝕥𝕪 ℂ𝕠𝕟𝕥𝕖𝕟𝕥 (e.g. content that is not from you nor from those who run Soylent News).

          There are things that the Soylent News webapp does to filter bad/unwanted stuff from comments while allowing stuff like bold tags and some 𝓤𝓷𝓲𝓬𝓸𝓭𝓮 (e.g. rtl markers are removed). But one fine day the W3C or browser developers might do something stupid, or something was overlooked and so stuff can get through those filters.

          Stuff like CSP was originally supposed to prevent stuff like that from happening. e.g. in theory you would be able to tell the browser that it is to NEVER ever run any active stuff (javascript, flash, etc) in any of the comments. So even if one day some clever person figures out how to sneak javascript through the filters, if the browser has already told by Soylent News (via CSP or similar) to not allow active stuff, the javascript doesn't run and the user is still protected. AND the user can still safely use the Soylent News site's javascript stuff if they want to.

          But given the CSP bunch are doing dubious shit like this, my confidence in them is decreasing. There is no need for the violation to be sent to the site at all. If the browser knows a violation has occurred (if it doesn't it wouldn't be able to send a report) the browser by default should tell the user and stop running any active crap immediately. Because in most such scenarios the user is the one who is being attacked.

        • (Score: 0) by Anonymous Coward on Monday October 23 2017, @09:31PM

          by Anonymous Coward on Monday October 23 2017, @09:31PM (#586589)

          +1

          my comment was going to be "boo fucking hoo" but you have properly defined why the crying doesnt affect me.

          it is not my browser's job to test some guys website for errors and problems. he can run that script himself on his own hardware.

      • (Score: 2) by chromas on Tuesday October 24 2017, @09:03AM

        by chromas (34) Subscriber Badge on Tuesday October 24 2017, @09:03AM (#586783) Journal

        You = first party
        Soylentnews/Webmail = second party
        Message you are reading = third party

        From the browser's perspective, the message is still second-party. SN hosts and sends the message to your browser. Third party would be if SN linked in some content from AWS or Google APIs.

    • (Score: 2) by Pino P on Monday October 23 2017, @02:55PM (1 child)

      by Pino P (4721) on Monday October 23 2017, @02:55PM (#586349) Journal

      Anyone who wants to protect users from "malicious 3rd party content" can do it in an instant: just stop serving to users 3rd party content.

      If you're referring to a third-party script that a user manages to inadvertently insert through a cross-site scripting (XSS) vulnerability, preventing it from running is the main goal of CSP.

      If you're referring to a third-party script that a publisher deliberately transcludes, then why have so many websites switched from selling ad space directly to advertisers and hosting these ads to using ad networks and ad exchanges? I imagine it involves not having to find and pay salespeople, as well as greater CPM from ads that are based on an interest profile inferred through tracking a user's activity across sites than from ads that are not.

      • (Score: 0) by Anonymous Coward on Monday October 23 2017, @05:57PM

        by Anonymous Coward on Monday October 23 2017, @05:57PM (#586456)

        If you're referring to a third-party script that a user manages to inadvertently insert through a cross-site scripting (XSS) vulnerability, preventing it from running is the main goal of CSP.

        Preventing "it" from running should be as easy as totally disabling javascript when doing anything securirty sensitive. Anything interfering with that is a malicious part of the problem, all song and dance of security theater notwithstanding.

  • (Score: 4, Insightful) by opinionated_science on Monday October 23 2017, @10:21AM (1 child)

    by opinionated_science (4031) on Monday October 23 2017, @10:21AM (#586253)

    I've not applied any technical focus on this, but I *do* use UBO on some really dodgy sites, and it happily closes and makes visible (by denying i-frame), many bouncing , flashing "click me!" sites....

    Reading what I wrote, I realise this probably doesn't meet many peoples version of dodgy, but we have a broken ad-serve liability model.....

    • (Score: 3, Insightful) by DannyB on Monday October 23 2017, @04:47PM

      by DannyB (5839) Subscriber Badge on Monday October 23 2017, @04:47PM (#586405) Journal

      Reading what I wrote, I realise this probably doesn't meet many peoples version of dodgy

      It meets my version of dodgy. Any advertisement that is bouncing, flashing ***CLICK-ME!!!***, playing sounds, or videos is MOST DEFINITELY dodgy.

      And sites that do this ARE NOT worth my time.

      Free clue to these websites: It is highly unlikely that there is something on your web site that is so important that I absolutely must see it. Especially if I cannot see it due to all the dodgy animated content.

      But I understand. It is an arms race. Between people trying to navigate information while maintaining their sanity, and advertisers that will stoop to any depths, leave no lie untold, who would plaster every surface in the world with ads, and would put ads on the inside of our eyelids if they could. And would bribe congress to make the eyelid implants mandatory at birth. And then would post messages to defend the indefensible practice.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 3, Insightful) by inertnet on Monday October 23 2017, @10:50AM

    by inertnet (4071) on Monday October 23 2017, @10:50AM (#586263) Journal

    The fact that this is called a "violation" says a lot.