Stories
Slash Boxes
Comments

SoylentNews is people

uBlock Origin Criticized for Blocking Content Security Policy

posted by Fnord666 on Monday October 23 2017, @09:09AM   Printer-friendly
from the Digital-Arms-Race dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.

CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.

CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.

[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.

Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/

Original Submission

 
This discussion has been archived. No new comments can be posted.
uBlock Origin Criticized for Blocking Content Security Policy | Log In/Create an Account | Top | 89 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Insightful) by Anonymous Coward on Monday October 23 2017, @01:57PM (1 child)

    by Anonymous Coward on Monday October 23 2017, @01:57PM (#586322)

    Different browsers could interpret "Message you are reading" differently. The HTML/etc escaping/filtering library used by the second party site might also interpret it differently.

    And if you are concerned about security, you do not offer a crazy attack surface, to then play at "mitigation". You do plain things in plain ways and avoid corner cases and do not do any clever shit.
    Then you've no need to invent crap excuses with "pedals" and other series of tubes.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Total Score:   1  

  • (Score: 0) by Anonymous Coward on Monday October 23 2017, @05:14PM

    by Anonymous Coward on Monday October 23 2017, @05:14PM (#586418)
    Tell that to the W3C and browser developers.