Stories
Slash Boxes
Comments

SoylentNews is people

uBlock Origin Criticized for Blocking Content Security Policy

posted by Fnord666 on Monday October 23 2017, @09:09AM   Printer-friendly
from the Digital-Arms-Race dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.

CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.

CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.

[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.

Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/

Original Submission

 
This discussion has been archived. No new comments can be posted.
uBlock Origin Criticized for Blocking Content Security Policy | Log In/Create an Account | Top | 89 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @08:41PM (2 children)

    by Anonymous Coward on Monday October 23 2017, @08:41PM (#586560)

    Perhaps the intent was "Stop using third-party active content

    Intent? The browser ultimately decides what is active content. Not you, not Runaway, nor the site's filters. Without stuff like CSP the browser can't know anything about the site's intent.

    You may wish for the content to be static but something has to enforce that. If that stuff doesn't succeed, what you and the site thinks should be static content could still be considered by the browser to be active content.

    Hackers try to find exploitable differences/gaps between the filters and the various browsers.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 2) by urza9814 on Tuesday October 24 2017, @01:14PM (1 child)

    by urza9814 (3954) on Tuesday October 24 2017, @01:14PM (#586832) Journal

    You have the browser block third-party content. Period.

    Soylent comments are NOT third-party content in that context. They're served directly from SoylentNews.org.

    Sure, you could drop an iframe or script tag in there...but either you're linking to another page on SoylentNews.org, which I already trust, or you're linking to a third-party website, which my browser won't load. Of course, Soylent rightly blocks those tags to begin with, so that's kind of a moot point anyway.

    And if the site is done properly, "new features" won't really matter. You whitelist allowed tags in user content, you don't blacklist potentially harmful ones. And you can also use things like doctype tags to tell the browser which version of the spec to use when interpreting the page, so if new versions of the specs add new features it doesn't matter because your page is fixed to one specific version.

    • (Score: 3, Touché) by Pino P on Tuesday October 24 2017, @01:51PM

      by Pino P (4721) on Tuesday October 24 2017, @01:51PM (#586847) Journal

      And you can also use things like doctype tags to tell the browser which version of the spec to use when interpreting the page

      The HTML5 doctype is <!DOCTYPE HTML>. This tag doesn't include a version. Or what am I missing?

      Even the HTML 4 doctype didn't include versions of standards included by reference, such as a CSS version or a Unicode version.