Click For Photo: https://regmedia.co.uk/2015/06/11/banned.jpg?x=1200&y=794
Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from thwarting and sounding the alarm on hacking attacks.
XSS - Attacks - Attempts - Website - Administrators
It's supposed to kill cross-site-scripting, aka XSS, attacks, and automatically report hacking attempts back to the website's administrators. It's very handy.
However, uBlock Origin is blocking browsers from sending these CSP alerts, infosec consultant Scott Helme reported on Monday in a bug report on the uBlock Origin GitHub repo. The free Chrome and Firefox plugin bins all CSP reports if any script neutered to protect the user's privacy is allowed onto the page, such as a defanged Google Analytics script.
Bug - Report - Helme
In his bug report, Helme wrote:
uBO is blocking the sending of legitimate CSP reports. I have a policy setup on https://scotthelme.co.uk
which fires multiple reports that are all blocked.
Origin - Developer - Raymond - Hill - Design
uBlock Origin developer Raymond Hill replied that this is "by design," and that the plugin kills all CSP alerts if any neutered scripts, such as Google traffic analytics, are allowed to run. He added users could manually whitelist Google Analytics for a particular site to avoid any CSP reports being suppressed, and closed the bug:
uBO will block CSP reports if it injects at least one neutered script in a page. This is what is happening on https://scotthelme.co.uk/
, uBO is injecting a neutered Google Analytics script. In such case, uBO conservatively assumes that the injected script...
Wake Up To Breaking News!
Measuring his life out one teaspoon at a time.