uBlock Origin Is Blocking Content Security Policy Reporting

[Megalith]

uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: the ad-blocking plugin is preventing browsers from sounding the alarm on hacking attacks. At the heart of the matter is a fairly new technology called content security policy reporting, or CSP reporting, which websites can use to whitelist the scripting code that's allowed to run on their pages, thus stopping attackers from injecting malicious JavaScript into browsers that hijack users' logged-in accounts.

It's supposed to kill cross-site-scripting, aka XSS, attacks, and automatically report hacking attempts back to the website's administrators. It's very handy. However, uBlock Origin is blocking browsers from sending these CSP alerts, infosec consultant Scott Helme reported on Monday in a bug report on the uBlock Origin GitHub repo. That means site developers and admins may be unaware of attempts to exploit weaknesses in their code, vulnerabilities may not be addressed, and people may end up losing control of their accounts if attacked.

 

[Gigus Fire]

eh, just block everything and let god sort it out. CSP alerts sound like a good thing, but i don't recall ever seeing it in action.

 

[Monkey God]

or CSP reporting, which websites can use to whitelist the scripting code that's allowed to run on their pages, thus stopping attackers from injecting malicious JavaScript into browsers that hijack users' logged-in accounts.

This is making one VERY BIG ASSUMPTION - that the code on the website can be trusted or hasn't been hijacked by someone else. Sounds like uBLock is doing the right thing here.

 

[Merc1138]

Yes, I want crap blocked that some janky website attempts to whitelist, that's the whole point.

 

[Armenius]

I thought the important part was stopping the hack in the first place, not reporting it after it happens. Reminds me of the "security monitor" commercials. "Oh, I don't stop the attacks, I just let you know when they happen." Maybe admins should take responsibility for their own code and the ads they serve on their website instead of shifting the blame.

 

[purefun65]

ublock and ghostery and no coin is what keeps my chrome nice.

 

[Monkey God]

ublock and ghostery and no coin is what keeps my chrome nice.

Is no-coin a plugin? Basically stops all the "haxor your browser" to mine cryptocoin for other people?

 

[theBrownLlama]

block everything is much better than letting these developers learn of vulnerabilities , which they will patch a few months later ( if lucky).
It's not like these scripts are absolutely required to serve content that the user wants.