Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday October 23 2017, @09:09AM   Printer-friendly
from the Digital-Arms-Race dept.

Submitted via IRC for TheMightyBuzzard

The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.

CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.

CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.

[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.

Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Pino P on Monday October 23 2017, @02:55PM (1 child)

    by Pino P (4721) on Monday October 23 2017, @02:55PM (#586349) Journal

    Anyone who wants to protect users from "malicious 3rd party content" can do it in an instant: just stop serving to users 3rd party content.

    If you're referring to a third-party script that a user manages to inadvertently insert through a cross-site scripting (XSS) vulnerability, preventing it from running is the main goal of CSP.

    If you're referring to a third-party script that a publisher deliberately transcludes, then why have so many websites switched from selling ad space directly to advertisers and hosting these ads to using ad networks and ad exchanges? I imagine it involves not having to find and pay salespeople, as well as greater CPM from ads that are based on an interest profile inferred through tracking a user's activity across sites than from ads that are not.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Monday October 23 2017, @05:57PM

    by Anonymous Coward on Monday October 23 2017, @05:57PM (#586456)

    If you're referring to a third-party script that a user manages to inadvertently insert through a cross-site scripting (XSS) vulnerability, preventing it from running is the main goal of CSP.

    Preventing "it" from running should be as easy as totally disabling javascript when doing anything securirty sensitive. Anything interfering with that is a malicious part of the problem, all song and dance of security theater notwithstanding.