Submitted via IRC for TheMightyBuzzard
The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.
CSP, Content Security Policy, can be used by web developers to whitelist code that is allowed to run on web properties. The idea behind the feature is to prevent attackers from injecting JavaScript on websites protected by CSP.
CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.
[...] Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.
Source: https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/
(Score: 5, Insightful) by Anonymous Coward on Monday October 23 2017, @09:21AM (34 children)
If ublock is preventing the browser from enforcing CSP stuff like "please let me know if the user's browser is removing ads/malware/crapware" then that's what I want ublock to do.
Seems like the people designing CSP added a bit of overreach: https://mathiasbynens.be/notes/csp-reports [mathiasbynens.be]
To me it's only an issue if the CSP limits an iframe to certain things but ublock somehow makes the CSP more lenient and the iframe can suddenly run more dangerous stuff.
So the real news here is CSP doing stuff that is less likely to protect the user, which to me deviates from what it CSP was originally supposed to do - protect users from malicious 3rd party content:
(Score: 2, Insightful) by Anonymous Coward on Monday October 23 2017, @10:18AM (30 children)
Are you really that naive?
Anyone who wants to protect users from "malicious 3rd party content" can do it in an instant: just stop serving to users 3rd party content. Or if he/she/it really cares about security, here a trivial, reliable solution: stop forcing users to run shitty javascripts on security-sensitive pages. Just stop.
Anything else, is security theater for gullible fools. With an additional aim to screw them once more.
(Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @11:22AM (27 children)
You = first party
Soylentnews/Webmail = second party
Message you are reading = third party
Different browsers could interpret "Message you are reading" differently. The HTML/etc escaping/filtering library used by the second party site might also interpret it differently.
CSP is supposed to be the "brake pedal" while the W3C keep coming up with "Go Pedals". In the days before CSP to prevent bad stuff from happening second party sites have to make sure all the Go Pedals are not pressed. But what about future Go Pedals?
By having something like CSP you could say "No javascript allowed here" and all browsers that support CSP in a sane way would not allow javascript in that place even if the W3C came up with new "Go Pedals" in the future and javascript got past the site's escaping library (whether due to the library not taking new stuff into account or the browser not implementing things the same way).
(Score: 1, Insightful) by Anonymous Coward on Monday October 23 2017, @12:31PM (1 child)
And what does that have to do with the browser reporting back to the site?
(Score: 0) by Anonymous Coward on Monday October 23 2017, @01:38PM
(Score: 1, Insightful) by Anonymous Coward on Monday October 23 2017, @01:57PM (1 child)
And if you are concerned about security, you do not offer a crazy attack surface, to then play at "mitigation". You do plain things in plain ways and avoid corner cases and do not do any clever shit.
Then you've no need to invent crap excuses with "pedals" and other series of tubes.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @05:14PM
(Score: 5, Insightful) by Runaway1956 on Monday October 23 2017, @02:59PM (21 children)
I don't now how stupid GP might be - but you're not making any points with your post. Third party hosting of anything introduces potential exploits. Stop using third party anything at all. Just stop. And, DO NOT expect my browser to make any kind of reports to any of those third parties. It ain't happening.
Want to know what happens when your site doesn't work on my computer? Noscript warns me that two CDN's and four ad companies all want to run code on my machine, along with a couple dozen other sites that I don't even recognize. (alright, so maybe I recognize some of them, but I often see sites that are complete mysteries) So, what do I do? I just close the damned tab. Whatever brought me to your site just isn't important enough for me to run script written by aliens from Andromeda. Or, Lizard people. Or, NSA goons. Your shit just isn't that impressive, so I close the tab, and you've lost a hit.
I hope your children all die of starvation due to people like me, who just close the fucking tab.
(Score: 2) by Pino P on Monday October 23 2017, @03:12PM (18 children)
If the only provider (or all providers) of a particular kind of good or service to your area requires use of a third-party script, such as Google reCAPTCHA as an anti-botspam measure, do you instead do without that good or service? For example, if the local electric power utility offers a choice of electronic ACH payment with third-party scripts or check payment with a $5 per month surcharge for a paper bill, do you instead accept the surcharge?
(Score: 2) by Runaway1956 on Monday October 23 2017, @05:16PM (15 children)
Neither. I can go to my bank, and set up a recurring periodic payment. If my bank didn't provide that service, then I would probably be in contact with $monopoly about their billing practices. I would seriously consider dropping the service that $monopoly provides. I would most definitely be searching for alternatives.
Funny that you imply that it is alright for the $monoploy to use coercion, to force me to conform to their preferred business and billing practices. That coercion, in some people's minds, might justify some questionably legal measures as punishment. Now that I think about it, I haven't visited 4chan or any of Anonymous various haunts in some time now . . . Tell me, how do you feel about someone, such as Anonymous, coercing $monopoly to use fair business and billing practices?
(Score: 2) by Pino P on Monday October 23 2017, @05:57PM (14 children)
How does your bank know how much of the utility you used in order to know how much to pay the utility?
In a city in the industrialized world, what's the alternative to electric power, running water, or wired Internet? Solar, a well, and satellite Internet aren't adequate substitutes for everyone.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @07:14PM (8 children)
An easier example is your comment is third party content to Runaway and everyone else reading it.
And he got modded 5 insightful for saying stuff like:
Runaway and those who modded him up don't realize that most comments in SN are third party content.
Looks like lots of people here don't know much about IT security.
They don't seem to realize that quite a lot of things are done to make a third party comment safe to be read, while allowing Unicode (😀 ), bold text, hyperlinks, etc.
See: http://websec.github.io/unicode-security-guide/character-transformations/ [github.io]
Sometimes those things fail and stuff gets through.
🛑
(Score: 2) by Pino P on Monday October 23 2017, @07:40PM (5 children)
Perhaps the intent was "Stop using third-party active content, such as third-party JavaScript and third-party WebAssembly." Or perhaps it was "Stop using content for which a third party can log requests, such as third-party images, third-party fonts, and third-party iframes."
Take <img> for example. If an HTML document transcludes an image using the <img> element, the operator of a server can see the IPv4 or IPv6 address of the person, the URL of the document that transcludes the image (Referer:), and whatever other identifying information the browser ends up including in HTTP headers. The possibility of this sort of tracking is part of why third-party content on SoylentNews (that is, the comments) doesn't allow the <img> element.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @08:15PM (1 child)
You still don't get it. How does your site know what third party content is active and what isn't? It's not magic. Something has to decide and filter out the active and tracking stuff. Like the img tags. You want the comments to be static and have no tracking stuff but how do you achieve it while allowing other features? You use filters and other methods.
Those filters may not be perfect and stuff is not always handled the same by different browsers- compare firefox and chrome rendering of the subject line of this comment: https://soylentnews.org/comments.pl?noupdate=1&sid=22181&page=1&cid=586530#commentwrap [soylentnews.org]
The filters might work well enough today. But will they work in the future as the browser makers keep adding stuff (and sometimes differently)?
Stuff like CSP was supposed to be second layer of defense. So when the filters fail the browsers might still not run the active/tracking stuff. Because the site told the browser "there's not supposed to be any active stuff in the comments".
(Score: 2) by Pino P on Tuesday October 24 2017, @01:41PM
If a particular media type is capable of running an unvetted computer program, it is active content. This means application/javascript is active, and text/html is also active because it can contain a <script> element that transcludes a resource of type application/javascript.
Many consider the <img> elements to be benign because they do not cause the browser to run an unvetted computer program.
I agree. But not all third-party content is equal. Some is trusted by the site owner but not necessarily by the viewer, such as scripts associated with third-party analytics and third-party advertising. Some is trusted by neither, such as comments. Things like CSP are primarily aimed at the "trusted by neither" case, though the Report-Only part is for resources trusted by the site owner.
(Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @08:41PM (2 children)
Intent? The browser ultimately decides what is active content. Not you, not Runaway, nor the site's filters. Without stuff like CSP the browser can't know anything about the site's intent.
You may wish for the content to be static but something has to enforce that. If that stuff doesn't succeed, what you and the site thinks should be static content could still be considered by the browser to be active content.
Hackers try to find exploitable differences/gaps between the filters and the various browsers.
(Score: 2) by urza9814 on Tuesday October 24 2017, @01:14PM (1 child)
You have the browser block third-party content. Period.
Soylent comments are NOT third-party content in that context. They're served directly from SoylentNews.org.
Sure, you could drop an iframe or script tag in there...but either you're linking to another page on SoylentNews.org, which I already trust, or you're linking to a third-party website, which my browser won't load. Of course, Soylent rightly blocks those tags to begin with, so that's kind of a moot point anyway.
And if the site is done properly, "new features" won't really matter. You whitelist allowed tags in user content, you don't blacklist potentially harmful ones. And you can also use things like doctype tags to tell the browser which version of the spec to use when interpreting the page, so if new versions of the specs add new features it doesn't matter because your page is fixed to one specific version.
(Score: 3, Touché) by Pino P on Tuesday October 24 2017, @01:51PM
The HTML5 doctype is <!DOCTYPE HTML>. This tag doesn't include a version. Or what am I missing?
Even the HTML 4 doctype didn't include versions of standards included by reference, such as a CSS version or a Unicode version.
(Score: 1, Interesting) by Anonymous Coward on Monday October 23 2017, @07:59PM
Whose filters are perfect AND will stay perfect as the various consortiums and groups keep adding stuff?
(Score: 0) by Anonymous Coward on Monday October 23 2017, @08:20PM
If you got a trojaned font installed on your system, websites are least of your problems.
If a website downloads a trojaned font onto your system, it should be unable to when doing anything secure.
Security is NOT when you get extensive training in how to juggle dynamite sticks. Security is when you do not juggle them AT ALL.
(Score: 2) by urza9814 on Tuesday October 24 2017, @01:04PM (4 children)
This is a standard service that many banks offer. The utility sends you a bill, you go to your bank's website and type in the amount, and they transfer the payment.
And if your bank requires third party scripts for that, you get a new bank that has a clue about security.
(Score: 2) by Pino P on Tuesday October 24 2017, @01:47PM (3 children)
Until you get to banks that offer different tiers of checking accounts, one with bill payment and the other without, and require a larger minimum balance to avoid a monthly service fee for the one with bill payment than for the other without.
Before I create an account at a bank, how do I go about seeing whether its web application for logged-in account holders requires the use of a script from a different domain? Or would you recommend that I go through the process of creating an account, set up online access, and then go through the process of closing my account once I discover that online access requires the use of a script from a different domain?
(Score: 2) by urza9814 on Tuesday October 24 2017, @03:05PM (2 children)
If your bank sucks, pick a better one. I don't see the problem here...
You could always ask them. If they get enough requests for that info, they'll probably start marketing it. But I've never seen a bank that requires third-party scripts anyway, it seems like pretty poor security practices. So judge their competency the same way you would with anything else.
(Score: 2) by Pino P on Wednesday October 25 2017, @09:06PM (1 child)
The problem is that all banks suck. They just suck in different ways.
(Score: 2) by urza9814 on Thursday October 26 2017, @12:28PM
So use a credit union. I've got all my money with PSECU and they're fuckin awesome. I don't think I've ever paid them a dime...no overdraft fees, no ATM fees (even ATM fees charged by other banks get refunded), no checking or debit fees, no credit card fees, no fees for the bill payer. No real minimum balance (It's $5)...and at the end of every year they pay me just for having an account.
(Score: 2) by stretch611 on Monday October 23 2017, @08:00PM
Maybe instead of trusting 3rd party scripts people should write their own damn code.
Even if you rely on that bloat garbage known as jQuery, maybe you should host a copy yourself.
Even stuff like analytics can be replicated... if it is difficult for you to track which pages a client reads on your site, maybe you should learn to program. Logs are simple.
I admit that some times I do use 3rd party tools for in my development, but everything gets copied and hosted locally. In addition to security, it prevents something on my site breaking if a new release comes out. I can test the new release before updating the code.
No, you can't host things like facebook's like button locally, but the idea here is to stop web tracking.
The only exception I can think of at the moment is something like Google Maps and Re-captcha. Obviously maps is a huge undertaking, but you can always use the open version, or do it the old fashion way and open a link in a window. As for Re-captcha, a popular site probably needs it for bot prevention, on small scale sites, even simple math filters (e.g. 3 + 4 = (answer here) do a good job preventing most spam bots.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by urza9814 on Tuesday October 24 2017, @01:02PM
Every utility I've ever seen charges an extra fee for *electronic* payments, not for paper ones. That's why I still mail out checks every month...I'm not paying a damn "processing fee" to help them reduce their staffing costs...
(Score: 0) by Anonymous Coward on Monday October 23 2017, @06:08PM
Why then are you even on Soylent News? Most comments here are 𝕋𝕙𝕚𝕣𝕕 ℙ𝕒𝕣𝕥𝕪 ℂ𝕠𝕟𝕥𝕖𝕟𝕥 (e.g. content that is not from you nor from those who run Soylent News).
There are things that the Soylent News webapp does to filter bad/unwanted stuff from comments while allowing stuff like bold tags and some 𝓤𝓷𝓲𝓬𝓸𝓭𝓮 (e.g. rtl markers are removed). But one fine day the W3C or browser developers might do something stupid, or something was overlooked and so stuff can get through those filters.
Stuff like CSP was originally supposed to prevent stuff like that from happening. e.g. in theory you would be able to tell the browser that it is to NEVER ever run any active stuff (javascript, flash, etc) in any of the comments. So even if one day some clever person figures out how to sneak javascript through the filters, if the browser has already told by Soylent News (via CSP or similar) to not allow active stuff, the javascript doesn't run and the user is still protected. AND the user can still safely use the Soylent News site's javascript stuff if they want to.
But given the CSP bunch are doing dubious shit like this, my confidence in them is decreasing. There is no need for the violation to be sent to the site at all. If the browser knows a violation has occurred (if it doesn't it wouldn't be able to send a report) the browser by default should tell the user and stop running any active crap immediately. Because in most such scenarios the user is the one who is being attacked.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @09:31PM
+1
my comment was going to be "boo fucking hoo" but you have properly defined why the crying doesnt affect me.
it is not my browser's job to test some guys website for errors and problems. he can run that script himself on his own hardware.
(Score: 2) by chromas on Tuesday October 24 2017, @09:03AM
From the browser's perspective, the message is still second-party. SN hosts and sends the message to your browser. Third party would be if SN linked in some content from AWS or Google APIs.
(Score: 2) by Pino P on Monday October 23 2017, @02:55PM (1 child)
If you're referring to a third-party script that a user manages to inadvertently insert through a cross-site scripting (XSS) vulnerability, preventing it from running is the main goal of CSP.
If you're referring to a third-party script that a publisher deliberately transcludes, then why have so many websites switched from selling ad space directly to advertisers and hosting these ads to using ad networks and ad exchanges? I imagine it involves not having to find and pay salespeople, as well as greater CPM from ads that are based on an interest profile inferred through tracking a user's activity across sites than from ads that are not.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @05:57PM
Preventing "it" from running should be as easy as totally disabling javascript when doing anything securirty sensitive. Anything interfering with that is a malicious part of the problem, all song and dance of security theater notwithstanding.
(Score: 4, Insightful) by opinionated_science on Monday October 23 2017, @10:21AM (1 child)
I've not applied any technical focus on this, but I *do* use UBO on some really dodgy sites, and it happily closes and makes visible (by denying i-frame), many bouncing , flashing "click me!" sites....
Reading what I wrote, I realise this probably doesn't meet many peoples version of dodgy, but we have a broken ad-serve liability model.....
(Score: 3, Insightful) by DannyB on Monday October 23 2017, @04:47PM
It meets my version of dodgy. Any advertisement that is bouncing, flashing ***CLICK-ME!!!***, playing sounds, or videos is MOST DEFINITELY dodgy.
And sites that do this ARE NOT worth my time.
Free clue to these websites: It is highly unlikely that there is something on your web site that is so important that I absolutely must see it. Especially if I cannot see it due to all the dodgy animated content.
But I understand. It is an arms race. Between people trying to navigate information while maintaining their sanity, and advertisers that will stoop to any depths, leave no lie untold, who would plaster every surface in the world with ads, and would put ads on the inside of our eyelids if they could. And would bribe congress to make the eyelid implants mandatory at birth. And then would post messages to defend the indefensible practice.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Insightful) by inertnet on Monday October 23 2017, @10:50AM
The fact that this is called a "violation" says a lot.
(Score: 5, Insightful) by Anonymous Coward on Monday October 23 2017, @10:40AM (24 children)
Inexhaustive list of some other things I'm sure uBlock Origin has been criticised for by various parties:
(Score: 2, Informative) by Anonymous Coward on Monday October 23 2017, @02:14PM (1 child)
* Making websites sane
(Score: 3, Informative) by bob_super on Monday October 23 2017, @09:33PM
* Making pages load much much faster, reducing congestion by using less bandwidth and mitigating some malware threats.
(Score: 2) by Pino P on Monday October 23 2017, @02:58PM (21 children)
Would you prefer having to pay $4 for each unique domain that you visit in each month? Because in practice, that's the alternative to third-party ads and trackers for sites that aren't run as a hobby. Or if you know of a third way (other than ads or subscriptions) proven to provide enough revenue to pay writers, I'd like to read about it.
(Score: 3, Insightful) by Anonymous Coward on Monday October 23 2017, @03:26PM (3 children)
I already pay for Internet. Why aren't sites paying me to visit, they're so enamored of monetizing my traffic to it. There's no free lunch.
(Score: 2) by Pino P on Monday October 23 2017, @05:54PM (2 children)
Your ISP bill pays to connect your computer to the Internet. It doesn't pay the writers on the other side of the Internet. Would you prefer to have to subscribe to website packages through your ISP the way you subscribe to channel packages through a multichannel pay TV (cable or satellite) provider? And would you prefer to lose access to websites because your ISP refuses to pay the carriage fee? (I'm looking at you, ESPN3 [wikipedia.org].)
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @08:53AM (1 child)
That's why I pay for NYT and I receive all the content I care to read written by professional journalists.
I do not wish to pay some random dush for their random ad-infested site with 50 weird things your mama thought about her wiener. If it weren't for these shit-ads everywhere, there would be very little incentive for all the fake news sites out there. All you have to do is look at the new Android "front page" by Google to see utter SHIT on the internet being packaged and regurgitated so some asshole can make a free buck. In the grand scheme of things, soylentnews is one of the better sources of information and that is fucking sad state of affairs.
(Score: 2) by Pino P on Tuesday October 24 2017, @01:05PM
Your subscription to NYT doesn't help when one of your friends shares with you an article that happens to be on the LA Times, Washington Post, Wall Street Journal, Financial Times, or another widely respected publication not affiliated with the NYT Company. You end up in NYT's fliter bubble.
(Score: 4, Insightful) by Anonymous Coward on Monday October 23 2017, @04:13PM (4 children)
Yes, please. Let's go back to when websites were a labour of love created by people that wished to share their hobbies and their knowledge. Let's go back to when websites were informational. Drop this corporate shit now!
(Score: 0) by Anonymous Coward on Monday October 23 2017, @05:05PM
^ I've stopped exploring the web, its a pain in the ass! I've found a few tiny corners, and I search for anything specific I need, otherwise I ignore it.
(Score: 2) by Pino P on Monday October 23 2017, @07:47PM (1 child)
Sorry to tell you this, but back "when websites were a labour of love created by people that wished to share their hobbies and their knowledge," your connection to the Internet was 0.05 Mbps or slower. A 300 kB JPEG image would have taken a whole minute to load. There wasn't enough demand to view "labour of love" websites among the non-academic public to ensure the economies of scale needed to provide high-speed Internet access in homes.
Your home and mobile ISPs are probably a corporation or LLC. So good luck running a city-wide last-mile network without "corporate shit". Good luck even obtaining rights-of-way from your city's public utility board or from the national radio regulator without such an entity in place.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @08:08PM
Good luck with that shilling, I hear India and China are really bringing down the cost of decent quality garbage.
(Score: 1) by RedIsNotGreen on Tuesday October 24 2017, @05:45AM
Agree. Most advertising-supported websites are useless drivel.
(Score: 3, Insightful) by DannyB on Monday October 23 2017, @04:55PM
Dream On. Keep your delusion.
Oh, boo hoo!
I've already quit visiting certain news web sites that seem to have that attitude that I should just bend over for anything that they want to do. And I'm not talking about some no-name web sites.
Advertisers [soylentnews.org] brought this problem [soylentnews.org] on themselves [soylentnews.org]. I have no sympathy.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @03:11AM (1 child)
Go ahead and try to charge 4 bucks for visit. Go right ahead - for every one of you idiots, hundred others will offer up the same/better shit without charging.
You are a shill/moron, probably both.
(Score: 2) by Pino P on Tuesday October 24 2017, @01:15PM
If a viewer uses a tracking blocker on WIRED, the website doesn't charge $4 per visit. Instead, it charges $4 per 28 days. Whether a subscriber visits 1 or 28 times in the subscription period is up to the subscriber. But I see site-specific monthly subscriptions like this as an attempt by websites to shift viewer behavior toward visiting fewer websites in a month, in order to put viewers into a particular site's filter bubble.
Those who transmit entire articles from WIRED without permission from Conde Nast will get sued out of existence by Conde Nast for copyright infringement.
Please cool it with the ad hominem attacks.
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @03:25AM
The world doesn't owe you a living because you run a website.
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 24 2017, @05:54AM (2 children)
"having ads" != "fucking your users' privacy, bandwidth, and security with ad networks, trackers, non-vetted third-party JS, and ad videos and scripts that can reach hundreds of megabytes"
You can have static ads and host them yourself. There's a bunch of sites doing this. There's also services like Flattr and Patreon. If ad networks die a fiery death, other means of payment can be developed in the vacuum, and non-hobby websites can adapt or fail, as any other business.
Web without adblockers is almost completely unusable and way too dangerous. Browsing without disabling that bullshit is like eating sushi you picked up from the street. Have fun with ransomware, hope you have good backups.
(Score: 2) by chromas on Tuesday October 24 2017, @09:12AM
Exactly this. We could go back to basic text and static image ads, but they kinda shat the bed. It would take a bit to regain trust. Or not. How many people still don't run ad blockers?
(Score: 2) by Pino P on Tuesday October 24 2017, @01:17PM
What other prominent websites have gone this route, other than Daring Fireball [daringfireball.net]? I want to pass on the recommendation to self-host a site's ads, but I want to avoid replies to the effect: "That works for Daring Fireball but won't work for any other site."
(Score: 2) by TheRaven on Tuesday October 24 2017, @08:26AM
The $4 number doesn't pass a basic smell test. If you look at half a dozen sites regularly per month (a pretty conservative estimate), then that's $24/month that advertisers are willing to pay for you. That means that they'd have to be confident that they'd generate an average of (significantly) more than $24/month from sales to each random Internet person (including the ones that are in a completely different country that they can't even sell to). Does that sound likely?
sudo mod me up
(Score: 2) by urza9814 on Tuesday October 24 2017, @01:30PM (3 children)
You're utterly delusional if you think ads pay anywhere near that amount. If you're *lucky* you'll get maybe a tenth of a cent per visit; if you're unlucky it'll be a few hundredths. So how exactly is reducing the amount of content a site has to serve supposed to increase their costs by several orders of magnitude? $4 would get you a dozen page views per day, every day, for a year. It wouldn't be $4/month/domain, it'd be $4/month overall. Possibly less.
Meanwhile I've literally invested hundreds of dollars in firewall hardware and hundreds of hours in development and administration to bring some sanity to my browsing experience, so I'd gladly pay ten times that estimate for an ad-free web...
(Score: 2) by Pino P on Tuesday October 24 2017, @01:56PM (2 children)
Then WIRED is utterly delusional, as it charges that amount for a 28-day tracking blocking pass. Sites like WSJ and NYTimes charge even more.
Who collects this $4 payment from subscribers and remits it to site operators? It can't be (say) a 50 cent transaction to each of eight site operators, as the credit card processor would eat up most of that in the swipe fee.
(Score: 2) by urza9814 on Tuesday October 24 2017, @03:01PM (1 child)
Yeah, and a Soylent subscription starts at $4/month too. Most users don't subscribe at all and don't view ads at all, but the few who are willing to pay are able to subsidize the site for everyone else. Probably Wired/WSJ/NYT have similar business plans. Ads weren't paying enough, so they started to look for more lucrative funding from their core audience.
However they want to do it. I've got some sites/organizations that I pay $3/month to through Patreon, and you can do even smaller payments there then they bill it in bulk and divide it up...or there's sites that I pay maybe $10/year for an annual subscription which would be fine too. You could also avoid the card processor fees by not using the cards -- do direct bank transfers or something along those lines.
(Score: 2) by Pino P on Wednesday October 25 2017, @08:56PM
An ACH transfer doesn't take a percentage of the total like a Visa or MC transaction does. But it still takes a fee of $0.15 to $0.95 per transaction [firstach.com]. And the first ACH payment processor I looked at charges a fee that starts at $359.40 per merchant per year [firstach.com], whether any payment happens or not, compared to $0 per year for something like PayPal.
(Score: 5, Insightful) by FatPhil on Monday October 23 2017, @11:04AM (2 children)
There's a word for that operation - it's called "tracking". How is it different from a PING, or a 1x1 px web-bug?
If my paranoia is right, I'm tempted to say I'd want *all* CSP reports blocked. I'm happy to be corrected though.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Informative) by Pino P on Monday October 23 2017, @03:01PM (1 child)
The Content-Security-Policy-Report-Only header you're looking at is intended for diagnosing defects in a website, such as a cleartext http: URI mistakenly transcluded through some mechanism in a https: page, or third-party scripts inserted through a cross-site scripting (XSS) vulnerability.
(Score: 0) by Anonymous Coward on Tuesday October 24 2017, @06:03AM
That's what it's intended for.
Of course, the more important question remains: what is it *actually* used for...?
(Score: 5, Informative) by pTamok on Monday October 23 2017, @11:28AM (2 children)
I regard this as a manifestation of microBlock Origin just doing its job. I'm not alone. A perusal of the comments on 'The Register' show that there is broad support for uBO's approach.
The Register:uBlock Origin CSP report blocking comments [theregister.co.uk]
(Score: 2) by takyon on Monday October 23 2017, @11:57AM (1 child)
I was forced to read TFA. But once I had done so, I laughed at the critics. I use uMatrix though.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1) by pTamok on Monday October 23 2017, @05:57PM
I'm glad it amused you.
The Register commentators can be caustic.
(Score: 2) by FakeBeldin on Monday October 23 2017, @12:02PM (6 children)
uBlock is for user security, CSP is for the website's own security. Big surprise that they don't always coincide.
If you as a site owner want more lax uBlock settings for your site, feel free to put up a banner. Just like those "hey you're blocking our ads" banner. I'm sure it'll work out well - every visitor who has uBlock origin and cares about your site knowing when your site messes up, will surely expect to have to relax their settings.
(Score: 4, Informative) by takyon on Monday October 23 2017, @12:12PM (1 child)
Actually, one or more of my extensions (probably Adblock) seems to detect some of those banners and block them (more accurately, it asks me if I want to block them, and I just say no). I think it might be based on a curated list, idk.
Still... yup. Blocking Google Analytics is scriptblocking 101.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Informative) by Anonymous Coward on Tuesday October 24 2017, @04:05PM
FYI: https://easylist-downloads.adblockplus.org/antiadblockfilters.txt [adblockplus.org]
(Score: 3, Informative) by FakeBeldin on Monday October 23 2017, @12:31PM (3 children)
Case in point:
The security feature enabled by CSP reporting (i.e.: fixing the site) isn't dependent on one user. It's dependent on at least one of the users doing it, not on all.
On the other hand, the security feature of uBlock origin is to block. So whenever uBlock fails to block, it fails.
Given that uBlock's market penetration is ridiculously low, the chance that the only visitors to your site who would trigger CSP reporting are uBlock users is infinitesimal. I.e., this is an absolute non-issue.
(Score: 2) by Pino P on Monday October 23 2017, @03:05PM (2 children)
Testing using the CSPRO header depends on at least one user viewing each individual document. But a lot of sites are so big that one user rarely if ever sees the whole thing, resulting in incomplete test coverage. So yes, you may need multiple users to hit different subsets of the documents on a site.
If the majority of your users end up using other ad or script blockers that have the same bug as UBO, that could cause poor coverage as well.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @05:49PM
Multiple!= all. All non-UBO users should be sufficient.
It's not a bug. It's a properly implemented security and privacy feature.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @06:25PM
Only a few hackers in the world are interested in pwning that just one person who happens to be viewing a particular document on a website that nobody else in the world is interested in.
And if that person is running ublock I think he would want everything blocked, including reports.
If that person isn't running ublock and got pwned I don't think he cares that the website got a CSP violation report or not.
If that person wasn't pwned but his browser noticed the attempted CSP violation, I think that person would want the browser to notify him and stop running anything else from that site. His browser sending reports and more data to that site is not what he would want. If he wishes he can go tell the site himself, but given that he's the only one in the world being targeted I think he has more important things to do (like maybe leave the country ;) ).
If that person was a security researcher testing the site, he should be getting the report from the browser side (e.g. click on "violation details"). Not from the browser telling the server side "guess what my user nearly got pwned". That's how it would work if the browser makers and standards bodies were actually interested in security and not more insidious ways for tracking people.
(Score: 5, Insightful) by crafoo on Monday October 23 2017, @12:57PM (11 children)
The balls on these people. To claim they have ANY right to decide what code is executed on my system. Execute it on your fucking server if it's so important to you. Fuck off.
(Score: 2) by Grishnakh on Monday October 23 2017, @02:48PM
But.. but.. but... their terms of service require you to run the code that they point to on their webpage!!!
(Score: 2) by Pino P on Monday October 23 2017, @03:08PM (8 children)
Enjoy having to submit a form and wait for a round trip and full page reload every time you make the smallest change to the piece of information that you are editing in the web application you are using. For example, in an online whiteboard web application, enjoy having to click-wait-click-wait-click-wait-click to draw a polyline instead of dragging to draw a curve.
(Score: 3, Touché) by KilroySmith on Monday October 23 2017, @03:22PM (5 children)
I guess I would decide to run that whiteboard code then. That doesn't mean that, just because I find some code useful, that I must then allow all code to run...
(Score: 2) by Pino P on Monday October 23 2017, @03:55PM (4 children)
Agreed. But how should an end user go about determining which code is trustworthy to run?
(Score: 2) by KilroySmith on Monday October 23 2017, @05:18PM
I'm computer savvy, fairly well-read on the privacy and security issues of running web scripts on my PC, and even I have no idea how to go about determining which code is trustworthy to run. So, by default, I block it all, and decide on a case-by-case basis whether to allow a script to run so that I can access content, or to leave it blocked and forego the content because my risk-reward judgement decides it's not worth it. And even when I do run scripts, I love NoScripts granularity in temporarily allowing scripts from the site I'm visiting, while leaving scripts from ad and tracking networks blocked. I just hate the occasional annoyance of temporarily allowing one site's scripts, see the site still isn't displaying correctly, enable another set of scripts, see the site is still broken, repeat ad infinitum.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @06:01PM (2 children)
Isn't that why they're trying to teach basic comp sci to everyone?
(Score: 0) by Anonymous Coward on Monday October 23 2017, @06:37PM
"which code is trustworthy to run?" is similar to the halting problem. Except that in many cases you don't get the full code and inputs till you run the initial code. Heck you might never get the full code either.
Of course in that case you can probably deduce that particular code is not safe to run, but you might go all the way and decide that no javascript is safe to run.
A workaround of course is to sandbox and restrict stuff (solving the halting problem by making sure that everything will halt even if the code isn't written that way ;) ). CSP was supposed to be one of those tools to help limit damage.
(Score: 1, Informative) by Anonymous Coward on Monday October 23 2017, @09:15PM
They're not. They're mostly just teaching people to use Microsoft and Apple tools and calling it computer science.
(Score: 2) by crafoo on Saturday October 28 2017, @02:05AM (1 child)
OOOOh oooh ooh! You know what? Javascript is a mistake. If I want to run a fucking white board app I will fucking run a white board app. Not a shitpile javascript app INSIDE A FUCKING BROWSER.
(Score: 2) by Pino P on Saturday October 28 2017, @02:28PM
The difference between web apps and native apps is that native apps run only on one operating system. If your computer isn't a Mac, good luck unpacking and running the .dmg of a whiteboard app made for Mac. Even if the source code is available, good luck building and running the source code of a whiteboard app that uses Cocoa.
(Score: 2) by DannyB on Monday October 23 2017, @05:00PM
To claim that they have ANY balls is as deceptive and misleading as . . . well, as an advertisement.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 4, Interesting) by RamiK on Monday October 23 2017, @04:30PM
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-koppe.pdf [usenix.org]
You can serve a script injecting microcode pass the sandboxing. And considering SMM and AMT have their own mode instructions, I bet you can go all the way to ring-3 and own the machine in ways that would make an NSA contractor defect screaming "They're made out of people!".
And that paper was released separately from sandsifter [github.com]. So imagine what would happen when hackers catch-up and realize they can probe their chips for microcode and reverse it...
So, you're telling me the uBlock guy is wrong to block those scripts? I say, he should be defaulting on forcing people to read through each and every piece of JS to accept them like EULAs before allowing it to run.
compiling...
(Score: 3, Informative) by Anonymous Coward on Monday October 23 2017, @04:31PM
The coverage and whatnot are leaving much of the story out, just like when uBO was discovered to be blocking websockets. Basically, this was an agenda driven opportunity to smear uBO and the guilty parties (Troy Hunt and Scott Helme) are way better in PR than Gorhill. It is almost identical to the arguments mounted by the pro-websocket people (led by pornhub's parent) about the usefulness and how it isn't currently being used for ads and tracking. But here are the real facts but I'll leave it to you to RTFA for the sources, unless I have more time later.
1. Bug reporter runs a service that sells CSP reporting, which seems to suggest that you need to pay money to use it.
2. Other crusader (Troy Hunt) is, for all intents and purposes, anti-adblocking after a battle between himself and easylist on his blog.
3. Because of the way uBO works, it used to cause certain (NOT ALL) pages to fire CSP reports due to its blocking efforts.
4. If uBO determines that its blocking action would cause a CSP report to be fired, it would block all CSPs from a page (yes, even legitimate ones).
5. If a CSP report was fired off for a page uBO's actions would not cause a CSP report for, it wouldn't block them.
6. The CSP specifications state that CSP reports should be blockable by the user agent anyway (the thinking is that you really only need one from somewhere and most won't block)
7. This does not disable CSP, as
Well, Scott throws a hissy and enlists Troy to try and beat uBO into submission in the press (most notably the register). Gorhill stands firm in his pro-user stance, but takes another look at the problem anyway. They consider that not good enough and ignore the whole UA choice to send them and a hypothetical about how they can be used for tracking because he has hypothetical where they stopped the bad guys. Regardless, as a result, uBO now does this:
1. There is now a setting to block all CSP reports or allow those through that are considered legitimate based on either a whitelist or blacklist process.
2. uBO will still block CSP reports that it determines to have possibly be caused by its actions.
3. uBO will respect the user decision regarding CSP reports that it is not sure about.
4. There are now eyeballs on adding a csp_report filter to lists to prevent tracking.
5. There is a bug report in all three browsers to allow more fine-grained control.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @05:07PM
Hadn't realized CSP was such a threat to the end-user until today.
(Score: 0) by Anonymous Coward on Monday October 23 2017, @05:23PM
What is palemoon's attitude to report-uri, Beacons (https://developer.mozilla.org/en-US/docs/Web/API/Beacon_API) and other such junk?