Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday October 23 2017, @09:09AM   Printer-friendly
from the Digital-Arms-Race dept.

Submitted via IRC for TheMightyBuzzard

The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.

CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.

CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.

[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.

Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Pino P on Monday October 23 2017, @03:55PM (4 children)

    by Pino P (4721) on Monday October 23 2017, @03:55PM (#586377) Journal

    That doesn't mean that, just because I find some code useful, that I must then allow all code to run

    Agreed. But how should an end user go about determining which code is trustworthy to run?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by KilroySmith on Monday October 23 2017, @05:18PM

    by KilroySmith (2113) on Monday October 23 2017, @05:18PM (#586423)

    I'm computer savvy, fairly well-read on the privacy and security issues of running web scripts on my PC, and even I have no idea how to go about determining which code is trustworthy to run. So, by default, I block it all, and decide on a case-by-case basis whether to allow a script to run so that I can access content, or to leave it blocked and forego the content because my risk-reward judgement decides it's not worth it. And even when I do run scripts, I love NoScripts granularity in temporarily allowing scripts from the site I'm visiting, while leaving scripts from ad and tracking networks blocked. I just hate the occasional annoyance of temporarily allowing one site's scripts, see the site still isn't displaying correctly, enable another set of scripts, see the site is still broken, repeat ad infinitum.

  • (Score: 0) by Anonymous Coward on Monday October 23 2017, @06:01PM (2 children)

    by Anonymous Coward on Monday October 23 2017, @06:01PM (#586459)

    But how should an end user go about determining which code is trustworthy to run?

    Isn't that why they're trying to teach basic comp sci to everyone?

    • (Score: 0) by Anonymous Coward on Monday October 23 2017, @06:37PM

      by Anonymous Coward on Monday October 23 2017, @06:37PM (#586480)
      Basic computer science would tell you that solving the halting problem is impossible ;).

      "which code is trustworthy to run?" is similar to the halting problem. Except that in many cases you don't get the full code and inputs till you run the initial code. Heck you might never get the full code either.

      Of course in that case you can probably deduce that particular code is not safe to run, but you might go all the way and decide that no javascript is safe to run.

      A workaround of course is to sandbox and restrict stuff (solving the halting problem by making sure that everything will halt even if the code isn't written that way ;) ). CSP was supposed to be one of those tools to help limit damage.
    • (Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @09:15PM

      by Anonymous Coward on Monday October 23 2017, @09:15PM (#586577)

      They're not. They're mostly just teaching people to use Microsoft and Apple tools and calling it computer science.