uBlock Blocking CSP Raises Questions

Discussion of topics related to ad blocking.
Locked
gotitbro
Postaholic
Postaholic
Posts: 866
Joined: Sat Jul 09, 2016 8:33 pm

uBlock Blocking CSP Raises Questions

Post by gotitbro »

uBlock Origin currently blocks all CSP from being sent by a website if any tracking script is blocked such as Google Analytics which is used by a lot of websites. CSP allows website admins to determine what content gets loaded on webpagea (JS, CSS, iframes etc.) thus preventing XSS like attacks and also report any hacking attempt to the admins.

Security experts have raised issues regarding this as it makes the website vulnerable by admins not getting reports of such hacking attempts. While some uBO users agree with it blocking these CSP reports saying it protects their privacy.

Some prominent security researches such as Troy Hunt and Scott Helme (he raised the issue on GitHub) got into a banter with uBO developer Raymond Hill (gorhill) over this issue on Twitter and raised concerns that an extension used for security in the first place was weakening it.

uBO's answer to blocking all CSP when a tracking script is blocked is that the tracking script may have triggered the CSP and uses a unilateral approach.

I think there should be an option to enable/disable CSP reporting in uBO to stop this debate completely.

https://www.theregister.co.uk/2017/10/17/ublock_origin_csp_reports/
https://twitter.com/troyhunt/status/920590590223331329
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

gotitbro wrote: Tue Nov 07, 2017 9:17 pm I think there should be an option to enable/disable CSP reporting in uBO to stop this debate completely.
If the pre-release version is anything to go by there will be: https://github.com/gorhill/uBlock/wiki/ ... sp-reports
"If it ain't broke don't fix it."
gorhill
uBlock Origin Author
uBlock Origin Author
Posts: 230
Joined: Mon Aug 18, 2014 3:17 pm

Post by gorhill »

gotitbro wrote: Tue Nov 07, 2017 9:17 pmuBlock Origin currently blocks all CSP from being sent by a website

No, it blocks CSP reports (info sent to a remote server, possibly 3rd-party), only when they are deemed spurious. This disinformation has to stop. CSP directives set by web sites are never ever relaxed by uBO.

I question that you linked to one side of the argument while failing to provide a link to the where the actual issue is discussed, with my own view on it: https://github.com/gorhill/uBlock/issues/3140
Last edited by gorhill on Wed Nov 08, 2017 1:39 pm, edited 2 times in total.
-Mark-
Postaholic
Postaholic
Posts: 382
Joined: Tue Jul 05, 2016 7:46 pm

Post by -Mark- »

Really ? You found this now ? It's already old news if you follow the issue tracker on github.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

Surprised me. I've been aware of it for quite some time. Ever since it hit the beta channel.
"If it ain't broke don't fix it."
gotitbro
Postaholic
Postaholic
Posts: 866
Joined: Sat Jul 09, 2016 8:33 pm

Post by gotitbro »

[mention]Lanik[/mention] That is why I asked for this subforum to be created. I do not closely follow the GitHub repositories and events like these slip by. I am pretty sure many usual uBO users missed this news as well.

This forum would serve well for news like this especially if users post news such as this often.
gotitbro
Postaholic
Postaholic
Posts: 866
Joined: Sat Jul 09, 2016 8:33 pm

Post by gotitbro »

gorhill wrote: Wed Nov 08, 2017 1:20 pm only when they are deemed spurious. This disinformation has to stop.
Okay but how exactly are they determined to be spurious?

And I linked to The Register which is generally considered a respectable news source. Thanks for linking the GitHub issue as well.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

[mention]gotitbro[/mention] like we discussed elsewhere I don't mind this forum being here. Just be prepared for "this is old news" type of posts as most of us have seen the so called "news" already.

Let's stick to the topic of this thread.
"If it ain't broke don't fix it."
gotitbro
Postaholic
Postaholic
Posts: 866
Joined: Sat Jul 09, 2016 8:33 pm

Post by gotitbro »

Yes and thanks for that. I wouldn't be so sure of the "most of us" part though.

I'd like to stick to the topic as well I was just answering the old news posts.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

gotitbro wrote: Thu Nov 09, 2017 12:51 am I wouldn't be so sure of the "most of us" part though.
Let me clarify by most I mean, Forum Admins, EL Authors or Contributors. I'm fairly certain they would be keeping up on things like this. :mrgreen:
"If it ain't broke don't fix it."
-Mark-
Postaholic
Postaholic
Posts: 382
Joined: Tue Jul 05, 2016 7:46 pm

Post by -Mark- »

The ones who should be concerned about this are those webmasters who intend on collecting session data from users via CSP reports.

Also theregister is a news blog just like the rest of them on the Internet, they work on tips from folks like Scott who intend to publicise things in a negative light when things don't go their way.

https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/

That's a better read than theregister's deluded, one sided blog post.
gotitbro
Postaholic
Postaholic
Posts: 866
Joined: Sat Jul 09, 2016 8:33 pm

Post by gotitbro »

Mark, Lanik sure these people would be up to speed on such developments but that doesn't mean the regular user shouldn't be.
User avatar
LanikSJ
Site Owner
Site Owner
Posts: 1806
Joined: Thu Feb 15, 2007 7:44 am
Location: /dev/null

Post by LanikSJ »

gotitbro wrote: Thu Nov 09, 2017 8:43 am ... but that doesn't mean the regular user shouldn't be.
Agreed as long as you guys keep things civil. ;-)
"If it ain't broke don't fix it."
gotitbro
Postaholic
Postaholic
Posts: 866
Joined: Sat Jul 09, 2016 8:33 pm

Post by gotitbro »

[mention]gorhill[/mention] [mention]Lanik[/mention] I see that an option has been added to uBO for enabling/disabling blocking of CSP reports in the latest public release of 1.14.18. The fact that its also disabled by default puts a complete end to the security debate. Cool.
-Mark-
Postaholic
Postaholic
Posts: 382
Joined: Tue Jul 05, 2016 7:46 pm

Post by -Mark- »

There was no security debate from the beginning, just one person's fabrication to publicize uBO into something which is fundamentally untrue.
Locked