SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.
CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.
CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.
[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.
Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/
(Score: 2) by Pino P on Monday October 23 2017, @07:40PM (5 children)
Perhaps the intent was "Stop using third-party active content, such as third-party JavaScript and third-party WebAssembly." Or perhaps it was "Stop using content for which a third party can log requests, such as third-party images, third-party fonts, and third-party iframes."
Take <img> for example. If an HTML document transcludes an image using the <img> element, the operator of a server can see the IPv4 or IPv6 address of the person, the URL of the document that transcludes the image (Referer:), and whatever other identifying information the browser ends up including in HTTP headers. The possibility of this sort of tracking is part of why third-party content on SoylentNews (that is, the comments) doesn't allow the <img> element.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @08:15PM (1 child)
You still don't get it. How does your site know what third party content is active and what isn't? It's not magic. Something has to decide and filter out the active and tracking stuff. Like the img tags. You want the comments to be static and have no tracking stuff but how do you achieve it while allowing other features? You use filters and other methods.
Those filters may not be perfect and stuff is not always handled the same by different browsers- compare firefox and chrome rendering of the subject line of this comment: https://soylentnews.org/comments.pl?noupdate=1&sid=22181&page=1&cid=586530#commentwrap [soylentnews.org]
The filters might work well enough today. But will they work in the future as the browser makers keep adding stuff (and sometimes differently)?
Stuff like CSP was supposed to be second layer of defense. So when the filters fail the browsers might still not run the active/tracking stuff. Because the site told the browser "there's not supposed to be any active stuff in the comments".
(Score: 2) by Pino P on Tuesday October 24 2017, @01:41PM
If a particular media type is capable of running an unvetted computer program, it is active content. This means application/javascript is active, and text/html is also active because it can contain a <script> element that transcludes a resource of type application/javascript.
Many consider the <img> elements to be benign because they do not cause the browser to run an unvetted computer program.
I agree. But not all third-party content is equal. Some is trusted by the site owner but not necessarily by the viewer, such as scripts associated with third-party analytics and third-party advertising. Some is trusted by neither, such as comments. Things like CSP are primarily aimed at the "trusted by neither" case, though the Report-Only part is for resources trusted by the site owner.
(Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @08:41PM (2 children)
Intent? The browser ultimately decides what is active content. Not you, not Runaway, nor the site's filters. Without stuff like CSP the browser can't know anything about the site's intent.
You may wish for the content to be static but something has to enforce that. If that stuff doesn't succeed, what you and the site thinks should be static content could still be considered by the browser to be active content.
Hackers try to find exploitable differences/gaps between the filters and the various browsers.
(Score: 2) by urza9814 on Tuesday October 24 2017, @01:14PM (1 child)
You have the browser block third-party content. Period.
Soylent comments are NOT third-party content in that context. They're served directly from SoylentNews.org.
Sure, you could drop an iframe or script tag in there...but either you're linking to another page on SoylentNews.org, which I already trust, or you're linking to a third-party website, which my browser won't load. Of course, Soylent rightly blocks those tags to begin with, so that's kind of a moot point anyway.
And if the site is done properly, "new features" won't really matter. You whitelist allowed tags in user content, you don't blacklist potentially harmful ones. And you can also use things like doctype tags to tell the browser which version of the spec to use when interpreting the page, so if new versions of the specs add new features it doesn't matter because your page is fixed to one specific version.
(Score: 3, Touché) by Pino P on Tuesday October 24 2017, @01:51PM
The HTML5 doctype is <!DOCTYPE HTML>. This tag doesn't include a version. Or what am I missing?
Even the HTML 4 doctype didn't include versions of standards included by reference, such as a CSS version or a Unicode version.