uBlock Origin ad-blocker knocked for blocking hack attack squawking

www.theregister.co.uk | 10/17/2017 | Staff
aniki (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2015/06/11/banned.jpg?x=1200&y=794
















Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from thwarting and sounding the alarm on hacking attacks.

At the heart of the matter is a fairly new technology called content security policy reporting, or CSP reporting. It's documented here as a W3C draft, here by Google, and over here by Mozilla. Websites can use CSPs to whitelist the scripting code that's allowed to run on their pages, thus stopping attackers from injecting malicious JavaScript into browsers that hijack users' logged-in accounts.

XSS - Attacks - Attempts - Website - Administrators

It's supposed to kill cross-site-scripting, aka XSS, attacks, and automatically report hacking attempts back to the website's administrators. It's very handy.

However, uBlock Origin is blocking browsers from sending these CSP alerts, infosec consultant Scott Helme reported on Monday in a bug report on the uBlock Origin GitHub repo. The free Chrome and Firefox plugin bins all CSP reports if any script neutered to protect the user's privacy is allowed onto the page, such as a defanged Google Analytics script.

Bug - Report - Helme

In his bug report, Helme wrote:

uBO is blocking the sending of legitimate CSP reports. I have a policy setup on https://scotthelme.co.uk which fires multiple reports that are all blocked.

Origin - Developer - Raymond - Hill - Design

uBlock Origin developer Raymond Hill replied that this is "by design," and that the plugin kills all CSP alerts if any neutered scripts, such as Google traffic analytics, are allowed to run. He added users could manually whitelist Google Analytics for a particular site to avoid any CSP reports being suppressed, and closed the bug:

uBO will block CSP reports if it injects at least one neutered script in a page. This is what is happening on https://scotthelme.co.uk/, uBO is injecting a neutered Google Analytics script. In such case, uBO conservatively assumes that the injected script...
(Excerpt) Read more at: www.theregister.co.uk
0 other people are viewing this story
Wake Up To Breaking News!
Measuring his life out one teaspoon at a time.
Sign In or Register to comment.