SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.
CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.
CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.
[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.
Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/
(Score: 3, Informative) by Anonymous Coward on Monday October 23 2017, @04:31PM
The coverage and whatnot are leaving much of the story out, just like when uBO was discovered to be blocking websockets. Basically, this was an agenda driven opportunity to smear uBO and the guilty parties (Troy Hunt and Scott Helme) are way better in PR than Gorhill. It is almost identical to the arguments mounted by the pro-websocket people (led by pornhub's parent) about the usefulness and how it isn't currently being used for ads and tracking. But here are the real facts but I'll leave it to you to RTFA for the sources, unless I have more time later.
1. Bug reporter runs a service that sells CSP reporting, which seems to suggest that you need to pay money to use it.
2. Other crusader (Troy Hunt) is, for all intents and purposes, anti-adblocking after a battle between himself and easylist on his blog.
3. Because of the way uBO works, it used to cause certain (NOT ALL) pages to fire CSP reports due to its blocking efforts.
4. If uBO determines that its blocking action would cause a CSP report to be fired, it would block all CSPs from a page (yes, even legitimate ones).
5. If a CSP report was fired off for a page uBO's actions would not cause a CSP report for, it wouldn't block them.
6. The CSP specifications state that CSP reports should be blockable by the user agent anyway (the thinking is that you really only need one from somewhere and most won't block)
7. This does not disable CSP, as
Well, Scott throws a hissy and enlists Troy to try and beat uBO into submission in the press (most notably the register). Gorhill stands firm in his pro-user stance, but takes another look at the problem anyway. They consider that not good enough and ignore the whole UA choice to send them and a hypothetical about how they can be used for tracking because he has hypothetical where they stopped the bad guys. Regardless, as a result, uBO now does this:
1. There is now a setting to block all CSP reports or allow those through that are considered legitimate based on either a whitelist or blacklist process.
2. uBO will still block CSP reports that it determines to have possibly be caused by its actions.
3. uBO will respect the user decision regarding CSP reports that it is not sure about.
4. There are now eyeballs on adding a csp_report filter to lists to prevent tracking.
5. There is a bug report in all three browsers to allow more fine-grained control.