uBlock Blocking CSP Raises Questions

Discussion of news related to ad blocking.

Moderator: EasyList authors

Post Reply
gotitbro
Postaholic
Postaholic
Posts: 745
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

uBlock Blocking CSP Raises Questions

Post by gotitbro » Tue Nov 07, 2017 9:17 pm

uBlock Origin currently blocks all CSP from being sent by a website if any tracking script is blocked such as Google Analytics which is used by a lot of websites. CSP allows website admins to determine what content gets loaded on webpagea (JS, CSS, iframes etc.) thus preventing XSS like attacks and also report any hacking attempt to the admins.

Security experts have raised issues regarding this as it makes the website vulnerable by admins not getting reports of such hacking attempts. While some uBO users agree with it blocking these CSP reports saying it protects their privacy.

Some prominent security researches such as Troy Hunt and Scott Helme (he raised the issue on GitHub) got into a banter with uBO developer Raymond Hill (gorhill) over this issue on Twitter and raised concerns that an extension used for security in the first place was weakening it.

uBO's answer to blocking all CSP when a tracking script is blocked is that the tracking script may have triggered the CSP and uses a unilateral approach.

I think there should be an option to enable/disable CSP reporting in uBO to stop this debate completely.

https://www.theregister.co.uk/2017/10/17/ublock_origin_csp_reports/
https://twitter.com/troyhunt/status/920590590223331329

User avatar
Lanik
Site Owner
Site Owner
Posts: 1377
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 22
Location: /dev/null

Post by Lanik » Wed Nov 08, 2017 12:06 am

gotitbro wrote:
Tue Nov 07, 2017 9:17 pm
I think there should be an option to enable/disable CSP reporting in uBO to stop this debate completely.
If the pre-release version is anything to go by there will be: https://github.com/gorhill/uBlock/wiki/ ... sp-reports
"If it ain't broke don't fix it."

gorhill
uBlock Origin Author
uBlock Origin Author
Posts: 221
Joined: Mon Aug 18, 2014 3:17 pm
Reputation: 2

Post by gorhill » Wed Nov 08, 2017 1:20 pm

gotitbro wrote:
Tue Nov 07, 2017 9:17 pm
uBlock Origin currently blocks all CSP from being sent by a website

No, it blocks CSP reports (info sent to a remote server, possibly 3rd-party), only when they are deemed spurious. This disinformation has to stop. CSP directives set by web sites are never ever relaxed by uBO.

I question that you linked to one side of the argument while failing to provide a link to the where the actual issue is discussed, with my own view on it: https://github.com/gorhill/uBlock/issues/3140
Last edited by gorhill on Wed Nov 08, 2017 1:39 pm, edited 2 times in total.

-Mark-
Postaholic
Postaholic
Posts: 280
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 13

Post by -Mark- » Wed Nov 08, 2017 1:30 pm

Really ? You found this now ? It's already old news if you follow the issue tracker on github.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1377
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 22
Location: /dev/null

Post by Lanik » Wed Nov 08, 2017 10:19 pm

Surprised me. I've been aware of it for quite some time. Ever since it hit the beta channel.
"If it ain't broke don't fix it."

gotitbro
Postaholic
Postaholic
Posts: 745
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

Post by gotitbro » Wed Nov 08, 2017 10:55 pm

@Lanik That is why I asked for this subforum to be created. I do not closely follow the GitHub repositories and events like these slip by. I am pretty sure many usual uBO users missed this news as well.

This forum would serve well for news like this especially if users post news such as this often.

gotitbro
Postaholic
Postaholic
Posts: 745
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

Post by gotitbro » Wed Nov 08, 2017 10:59 pm

gorhill wrote:
Wed Nov 08, 2017 1:20 pm
only when they are deemed spurious. This disinformation has to stop.
Okay but how exactly are they determined to be spurious?

And I linked to The Register which is generally considered a respectable news source. Thanks for linking the GitHub issue as well.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1377
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 22
Location: /dev/null

Post by Lanik » Thu Nov 09, 2017 12:16 am

@gotitbro like we discussed elsewhere I don't mind this forum being here. Just be prepared for "this is old news" type of posts as most of us have seen the so called "news" already.

Let's stick to the topic of this thread.
"If it ain't broke don't fix it."

gotitbro
Postaholic
Postaholic
Posts: 745
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

Post by gotitbro » Thu Nov 09, 2017 12:51 am

Yes and thanks for that. I wouldn't be so sure of the "most of us" part though.

I'd like to stick to the topic as well I was just answering the old news posts.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1377
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 22
Location: /dev/null

Post by Lanik » Thu Nov 09, 2017 1:44 am

gotitbro wrote:
Thu Nov 09, 2017 12:51 am
I wouldn't be so sure of the "most of us" part though.
Let me clarify by most I mean, Forum Admins, EL Authors or Contributors. I'm fairly certain they would be keeping up on things like this. :mrgreen:
"If it ain't broke don't fix it."

-Mark-
Postaholic
Postaholic
Posts: 280
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 13

Post by -Mark- » Thu Nov 09, 2017 7:10 am

The ones who should be concerned about this are those webmasters who intend on collecting session data from users via CSP reports.

Also theregister is a news blog just like the rest of them on the Internet, they work on tips from folks like Scott who intend to publicise things in a negative light when things don't go their way.

https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/

That's a better read than theregister's deluded, one sided blog post.

gotitbro
Postaholic
Postaholic
Posts: 745
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

Post by gotitbro » Thu Nov 09, 2017 8:43 am

Mark, Lanik sure these people would be up to speed on such developments but that doesn't mean the regular user shouldn't be.

User avatar
Lanik
Site Owner
Site Owner
Posts: 1377
Joined: Thu Feb 15, 2007 7:44 am
Reputation: 22
Location: /dev/null

Post by Lanik » Thu Nov 09, 2017 8:17 pm

gotitbro wrote:
Thu Nov 09, 2017 8:43 am
... but that doesn't mean the regular user shouldn't be.
Agreed as long as you guys keep things civil. ;-)
"If it ain't broke don't fix it."

gotitbro
Postaholic
Postaholic
Posts: 745
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

Post by gotitbro » Sat Nov 18, 2017 7:31 pm

@gorhill @Lanik I see that an option has been added to uBO for enabling/disabling blocking of CSP reports in the latest public release of 1.14.18. The fact that its also disabled by default puts a complete end to the security debate. Cool.

-Mark-
Postaholic
Postaholic
Posts: 280
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 13

Post by -Mark- » Sun Nov 19, 2017 7:56 am

There was no security debate from the beginning, just one person's fabrication to publicize uBO into something which is fundamentally untrue.

Post Reply