SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.
CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.
CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.
[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.
Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/
(Score: 2) by Pino P on Monday October 23 2017, @03:12PM (18 children)
If the only provider (or all providers) of a particular kind of good or service to your area requires use of a third-party script, such as Google reCAPTCHA as an anti-botspam measure, do you instead do without that good or service? For example, if the local electric power utility offers a choice of electronic ACH payment with third-party scripts or check payment with a $5 per month surcharge for a paper bill, do you instead accept the surcharge?
(Score: 2) by Runaway1956 on Monday October 23 2017, @05:16PM (15 children)
Neither. I can go to my bank, and set up a recurring periodic payment. If my bank didn't provide that service, then I would probably be in contact with $monopoly about their billing practices. I would seriously consider dropping the service that $monopoly provides. I would most definitely be searching for alternatives.
Funny that you imply that it is alright for the $monoploy to use coercion, to force me to conform to their preferred business and billing practices. That coercion, in some people's minds, might justify some questionably legal measures as punishment. Now that I think about it, I haven't visited 4chan or any of Anonymous various haunts in some time now . . . Tell me, how do you feel about someone, such as Anonymous, coercing $monopoly to use fair business and billing practices?
(Score: 2) by Pino P on Monday October 23 2017, @05:57PM (14 children)
How does your bank know how much of the utility you used in order to know how much to pay the utility?
In a city in the industrialized world, what's the alternative to electric power, running water, or wired Internet? Solar, a well, and satellite Internet aren't adequate substitutes for everyone.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @07:14PM (8 children)
An easier example is your comment is third party content to Runaway and everyone else reading it.
And he got modded 5 insightful for saying stuff like:
Runaway and those who modded him up don't realize that most comments in SN are third party content.
Looks like lots of people here don't know much about IT security.
They don't seem to realize that quite a lot of things are done to make a third party comment safe to be read, while allowing Unicode (😀 ), bold text, hyperlinks, etc.
See: http://websec.github.io/unicode-security-guide/character-transformations/ [github.io]
Sometimes those things fail and stuff gets through.
🛑
(Score: 2) by Pino P on Monday October 23 2017, @07:40PM (5 children)
Perhaps the intent was "Stop using third-party active content, such as third-party JavaScript and third-party WebAssembly." Or perhaps it was "Stop using content for which a third party can log requests, such as third-party images, third-party fonts, and third-party iframes."
Take <img> for example. If an HTML document transcludes an image using the <img> element, the operator of a server can see the IPv4 or IPv6 address of the person, the URL of the document that transcludes the image (Referer:), and whatever other identifying information the browser ends up including in HTTP headers. The possibility of this sort of tracking is part of why third-party content on SoylentNews (that is, the comments) doesn't allow the <img> element.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @08:15PM (1 child)
You still don't get it. How does your site know what third party content is active and what isn't? It's not magic. Something has to decide and filter out the active and tracking stuff. Like the img tags. You want the comments to be static and have no tracking stuff but how do you achieve it while allowing other features? You use filters and other methods.
Those filters may not be perfect and stuff is not always handled the same by different browsers- compare firefox and chrome rendering of the subject line of this comment: https://soylentnews.org/comments.pl?noupdate=1&sid=22181&page=1&cid=586530#commentwrap [soylentnews.org]
The filters might work well enough today. But will they work in the future as the browser makers keep adding stuff (and sometimes differently)?
Stuff like CSP was supposed to be second layer of defense. So when the filters fail the browsers might still not run the active/tracking stuff. Because the site told the browser "there's not supposed to be any active stuff in the comments".
(Score: 2) by Pino P on Tuesday October 24 2017, @01:41PM
If a particular media type is capable of running an unvetted computer program, it is active content. This means application/javascript is active, and text/html is also active because it can contain a <script> element that transcludes a resource of type application/javascript.
Many consider the <img> elements to be benign because they do not cause the browser to run an unvetted computer program.
I agree. But not all third-party content is equal. Some is trusted by the site owner but not necessarily by the viewer, such as scripts associated with third-party analytics and third-party advertising. Some is trusted by neither, such as comments. Things like CSP are primarily aimed at the "trusted by neither" case, though the Report-Only part is for resources trusted by the site owner.
(Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @08:41PM (2 children)
Intent? The browser ultimately decides what is active content. Not you, not Runaway, nor the site's filters. Without stuff like CSP the browser can't know anything about the site's intent.
You may wish for the content to be static but something has to enforce that. If that stuff doesn't succeed, what you and the site thinks should be static content could still be considered by the browser to be active content.
Hackers try to find exploitable differences/gaps between the filters and the various browsers.
(Score: 2) by urza9814 on Tuesday October 24 2017, @01:14PM (1 child)
You have the browser block third-party content. Period.
Soylent comments are NOT third-party content in that context. They're served directly from SoylentNews.org.
Sure, you could drop an iframe or script tag in there...but either you're linking to another page on SoylentNews.org, which I already trust, or you're linking to a third-party website, which my browser won't load. Of course, Soylent rightly blocks those tags to begin with, so that's kind of a moot point anyway.
And if the site is done properly, "new features" won't really matter. You whitelist allowed tags in user content, you don't blacklist potentially harmful ones. And you can also use things like doctype tags to tell the browser which version of the spec to use when interpreting the page, so if new versions of the specs add new features it doesn't matter because your page is fixed to one specific version.
(Score: 3, Touché) by Pino P on Tuesday October 24 2017, @01:51PM
The HTML5 doctype is <!DOCTYPE HTML>. This tag doesn't include a version. Or what am I missing?
Even the HTML 4 doctype didn't include versions of standards included by reference, such as a CSS version or a Unicode version.
(Score: 1, Interesting) by Anonymous Coward on Monday October 23 2017, @07:59PM
Whose filters are perfect AND will stay perfect as the various consortiums and groups keep adding stuff?
(Score: 0) by Anonymous Coward on Monday October 23 2017, @08:20PM
If you got a trojaned font installed on your system, websites are least of your problems.
If a website downloads a trojaned font onto your system, it should be unable to when doing anything secure.
Security is NOT when you get extensive training in how to juggle dynamite sticks. Security is when you do not juggle them AT ALL.
(Score: 2) by urza9814 on Tuesday October 24 2017, @01:04PM (4 children)
This is a standard service that many banks offer. The utility sends you a bill, you go to your bank's website and type in the amount, and they transfer the payment.
And if your bank requires third party scripts for that, you get a new bank that has a clue about security.
(Score: 2) by Pino P on Tuesday October 24 2017, @01:47PM (3 children)
Until you get to banks that offer different tiers of checking accounts, one with bill payment and the other without, and require a larger minimum balance to avoid a monthly service fee for the one with bill payment than for the other without.
Before I create an account at a bank, how do I go about seeing whether its web application for logged-in account holders requires the use of a script from a different domain? Or would you recommend that I go through the process of creating an account, set up online access, and then go through the process of closing my account once I discover that online access requires the use of a script from a different domain?
(Score: 2) by urza9814 on Tuesday October 24 2017, @03:05PM (2 children)
If your bank sucks, pick a better one. I don't see the problem here...
You could always ask them. If they get enough requests for that info, they'll probably start marketing it. But I've never seen a bank that requires third-party scripts anyway, it seems like pretty poor security practices. So judge their competency the same way you would with anything else.
(Score: 2) by Pino P on Wednesday October 25 2017, @09:06PM (1 child)
The problem is that all banks suck. They just suck in different ways.
(Score: 2) by urza9814 on Thursday October 26 2017, @12:28PM
So use a credit union. I've got all my money with PSECU and they're fuckin awesome. I don't think I've ever paid them a dime...no overdraft fees, no ATM fees (even ATM fees charged by other banks get refunded), no checking or debit fees, no credit card fees, no fees for the bill payer. No real minimum balance (It's $5)...and at the end of every year they pay me just for having an account.
(Score: 2) by stretch611 on Monday October 23 2017, @08:00PM
Maybe instead of trusting 3rd party scripts people should write their own damn code.
Even if you rely on that bloat garbage known as jQuery, maybe you should host a copy yourself.
Even stuff like analytics can be replicated... if it is difficult for you to track which pages a client reads on your site, maybe you should learn to program. Logs are simple.
I admit that some times I do use 3rd party tools for in my development, but everything gets copied and hosted locally. In addition to security, it prevents something on my site breaking if a new release comes out. I can test the new release before updating the code.
No, you can't host things like facebook's like button locally, but the idea here is to stop web tracking.
The only exception I can think of at the moment is something like Google Maps and Re-captcha. Obviously maps is a huge undertaking, but you can always use the open version, or do it the old fashion way and open a link in a window. As for Re-captcha, a popular site probably needs it for bot prevention, on small scale sites, even simple math filters (e.g. 3 + 4 = (answer here) do a good job preventing most spam bots.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by urza9814 on Tuesday October 24 2017, @01:02PM
Every utility I've ever seen charges an extra fee for *electronic* payments, not for paper ones. That's why I still mail out checks every month...I'm not paying a damn "processing fee" to help them reduce their staffing costs...