Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday October 23 2017, @09:09AM   Printer-friendly
from the Digital-Arms-Race dept.

Submitted via IRC for TheMightyBuzzard

The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.

CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.

CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.

[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.

Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday October 23 2017, @08:15PM (1 child)

    by Anonymous Coward on Monday October 23 2017, @08:15PM (#586540)

    You still don't get it. How does your site know what third party content is active and what isn't? It's not magic. Something has to decide and filter out the active and tracking stuff. Like the img tags. You want the comments to be static and have no tracking stuff but how do you achieve it while allowing other features? You use filters and other methods.

    Those filters may not be perfect and stuff is not always handled the same by different browsers- compare firefox and chrome rendering of the subject line of this comment: https://soylentnews.org/comments.pl?noupdate=1&sid=22181&page=1&cid=586530#commentwrap [soylentnews.org]

    The filters might work well enough today. But will they work in the future as the browser makers keep adding stuff (and sometimes differently)?

    Stuff like CSP was supposed to be second layer of defense. So when the filters fail the browsers might still not run the active/tracking stuff. Because the site told the browser "there's not supposed to be any active stuff in the comments".

  • (Score: 2) by Pino P on Tuesday October 24 2017, @01:41PM

    by Pino P (4721) on Tuesday October 24 2017, @01:41PM (#586841) Journal

    How does your site know what third party content is active and what isn't?

    If a particular media type is capable of running an unvetted computer program, it is active content. This means application/javascript is active, and text/html is also active because it can contain a <script> element that transcludes a resource of type application/javascript.

    Something has to decide and filter out the active and tracking stuff. Like the img tags.

    Many consider the <img> elements to be benign because they do not cause the browser to run an unvetted computer program.

    Stuff like CSP was supposed to be second layer of defense.

    I agree. But not all third-party content is equal. Some is trusted by the site owner but not necessarily by the viewer, such as scripts associated with third-party analytics and third-party advertising. Some is trusted by neither, such as comments. Things like CSP are primarily aimed at the "trusted by neither" case, though the Report-Only part is for resources trusted by the site owner.