Submitted via IRC for TheMightyBuzzard
The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.
CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.
CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.
[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.
Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/
(Score: 4, Interesting) by RamiK on Monday October 23 2017, @04:30PM
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-koppe.pdf [usenix.org]
You can serve a script injecting microcode pass the sandboxing. And considering SMM and AMT have their own mode instructions, I bet you can go all the way to ring-3 and own the machine in ways that would make an NSA contractor defect screaming "They're made out of people!".
And that paper was released separately from sandsifter [github.com]. So imagine what would happen when hackers catch-up and realize they can probe their chips for microcode and reverse it...
So, you're telling me the uBlock guy is wrong to block those scripts? I say, he should be defaulting on forcing people to read through each and every piece of JS to accept them like EULAs before allowing it to run.
compiling...