Page 1 of 1

uBlock Blocking CSP Raises Questions

Posted: Tue Nov 07, 2017 9:17 pm
by gotitbro
uBlock Origin currently blocks all CSP from being sent by a website if any tracking script is blocked such as Google Analytics which is used by a lot of websites. CSP allows website admins to determine what content gets loaded on webpagea (JS, CSS, iframes etc.) thus preventing XSS like attacks and also report any hacking attempt to the admins.

Security experts have raised issues regarding this as it makes the website vulnerable by admins not getting reports of such hacking attempts. While some uBO users agree with it blocking these CSP reports saying it protects their privacy.

Some prominent security researches such as Troy Hunt and Scott Helme (he raised the issue on GitHub) got into a banter with uBO developer Raymond Hill (gorhill) over this issue on Twitter and raised concerns that an extension used for security in the first place was weakening it.

uBO's answer to blocking all CSP when a tracking script is blocked is that the tracking script may have triggered the CSP and uses a unilateral approach.

I think there should be an option to enable/disable CSP reporting in uBO to stop this debate completely.

https://www.theregister.co.uk/2017/10/17/ublock_origin_csp_reports/
https://twitter.com/troyhunt/status/920590590223331329

Re: uBlock Blocking CSP Raises Questions

Posted: Wed Nov 08, 2017 12:06 am
by LanikSJ
gotitbro wrote: Tue Nov 07, 2017 9:17 pm I think there should be an option to enable/disable CSP reporting in uBO to stop this debate completely.
If the pre-release version is anything to go by there will be: https://github.com/gorhill/uBlock/wiki/ ... sp-reports

Re: uBlock Blocking CSP Raises Questions

Posted: Wed Nov 08, 2017 1:20 pm
by gorhill
gotitbro wrote: Tue Nov 07, 2017 9:17 pmuBlock Origin currently blocks all CSP from being sent by a website

No, it blocks CSP reports (info sent to a remote server, possibly 3rd-party), only when they are deemed spurious. This disinformation has to stop. CSP directives set by web sites are never ever relaxed by uBO.

I question that you linked to one side of the argument while failing to provide a link to the where the actual issue is discussed, with my own view on it: https://github.com/gorhill/uBlock/issues/3140

Re: uBlock Blocking CSP Raises Questions

Posted: Wed Nov 08, 2017 1:30 pm
by -Mark-
Really ? You found this now ? It's already old news if you follow the issue tracker on github.

Re: uBlock Blocking CSP Raises Questions

Posted: Wed Nov 08, 2017 10:19 pm
by LanikSJ
Surprised me. I've been aware of it for quite some time. Ever since it hit the beta channel.

Re: uBlock Blocking CSP Raises Questions

Posted: Wed Nov 08, 2017 10:55 pm
by gotitbro
[mention]Lanik[/mention] That is why I asked for this subforum to be created. I do not closely follow the GitHub repositories and events like these slip by. I am pretty sure many usual uBO users missed this news as well.

This forum would serve well for news like this especially if users post news such as this often.

Re: uBlock Blocking CSP Raises Questions

Posted: Wed Nov 08, 2017 10:59 pm
by gotitbro
gorhill wrote: Wed Nov 08, 2017 1:20 pm only when they are deemed spurious. This disinformation has to stop.
Okay but how exactly are they determined to be spurious?

And I linked to The Register which is generally considered a respectable news source. Thanks for linking the GitHub issue as well.

Re: uBlock Blocking CSP Raises Questions

Posted: Thu Nov 09, 2017 12:16 am
by LanikSJ
[mention]gotitbro[/mention] like we discussed elsewhere I don't mind this forum being here. Just be prepared for "this is old news" type of posts as most of us have seen the so called "news" already.

Let's stick to the topic of this thread.

Re: uBlock Blocking CSP Raises Questions

Posted: Thu Nov 09, 2017 12:51 am
by gotitbro
Yes and thanks for that. I wouldn't be so sure of the "most of us" part though.

I'd like to stick to the topic as well I was just answering the old news posts.

Re: uBlock Blocking CSP Raises Questions

Posted: Thu Nov 09, 2017 1:44 am
by LanikSJ
gotitbro wrote: Thu Nov 09, 2017 12:51 am I wouldn't be so sure of the "most of us" part though.
Let me clarify by most I mean, Forum Admins, EL Authors or Contributors. I'm fairly certain they would be keeping up on things like this. :mrgreen:

Re: uBlock Blocking CSP Raises Questions

Posted: Thu Nov 09, 2017 7:10 am
by -Mark-
The ones who should be concerned about this are those webmasters who intend on collecting session data from users via CSP reports.

Also theregister is a news blog just like the rest of them on the Internet, they work on tips from folks like Scott who intend to publicise things in a negative light when things don't go their way.

https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/

That's a better read than theregister's deluded, one sided blog post.

Re: uBlock Blocking CSP Raises Questions

Posted: Thu Nov 09, 2017 8:43 am
by gotitbro
Mark, Lanik sure these people would be up to speed on such developments but that doesn't mean the regular user shouldn't be.

Re: uBlock Blocking CSP Raises Questions

Posted: Thu Nov 09, 2017 8:17 pm
by LanikSJ
gotitbro wrote: Thu Nov 09, 2017 8:43 am ... but that doesn't mean the regular user shouldn't be.
Agreed as long as you guys keep things civil. ;-)

Re: uBlock Blocking CSP Raises Questions

Posted: Sat Nov 18, 2017 7:31 pm
by gotitbro
[mention]gorhill[/mention] [mention]Lanik[/mention] I see that an option has been added to uBO for enabling/disabling blocking of CSP reports in the latest public release of 1.14.18. The fact that its also disabled by default puts a complete end to the security debate. Cool.

Re: uBlock Blocking CSP Raises Questions

Posted: Sun Nov 19, 2017 7:56 am
by -Mark-
There was no security debate from the beginning, just one person's fabrication to publicize uBO into something which is fundamentally untrue.