HarborFront

Level 47
Verified
Content Creator
Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from sounding the alarm on hacking attacks.

At the heart of the matter is a fairly new technology called content security policy reporting, or CSP reporting. It's documented here as a W3C draft, here by Google, and over here by Mozilla. Websites can use CSPs to whitelist the scripting code that's allowed to run on their pages, thus stopping attackers from injecting malicious JavaScript into browsers that hijack users' logged-in accounts.

It's supposed to kill cross-site-scripting, aka XSS, attacks, and automatically report hacking attempts back to the website's administrators. It's very handy.

However, uBlock Origin is blocking browsers from sending these CSP alerts, infosec consultant Scott Helme reported on Monday in a bug report on the uBlock Origin GitHub repo. The free Chrome and Firefox plugin bins all CSP reports if any script neutered to protect the user's privacy is allowed onto the page, such as a defanged Google Analytics script.

In his bug report, Helme wrote:

uBO is blocking the sending of legitimate CSP reports. I have a policy setup on Scott Helme which fires multiple reports that are all blocked.

uBlock Origin developer Raymond Hill replied that this is "by design," and that the plugin kills all CSP alerts if any neutered scripts, such as Google traffic analytics, are allowed to run. He added users could manually whitelist Google Analytics for a particular site to avoid any CSP reports being suppressed, and closed the bug:

uBO will block CSP reports if it injects at least one neutered script in a page. This is what is happening on Scott Helme, uBO is injecting a neutered Google Analytics script. In such case, uBO conservatively assumes that the injected script is what is causing the CSP reports and blocks them. If you create an allow rule for Google Analytics for that site, the CSP reports are not blocked.

The trouble is that websites won't receive alerts from browsers when uBlock Origin is installed and miscreants are trying to execute XSS attacks. That means site developers and admins may be unaware of attempts to exploit weaknesses in their code, vulnerabilities may not be addressed, and people may end up losing control of their accounts if attacked. Ultimately, Helme and others want to end uBlock Origin's broad blockade of CSP alerts.

"uBO can block Google Analytics without interfering with CSP reports. The two things aren't related, they're choosing to prevent the CSP report being sent," Helme told El Reg. Troy Hunt, ‏who runs the Have I Been Pwned website, added: "This is the problem: if you've got an XSS risk on your site, for example, a browser running uBlock Origin can no longer report it to you."

Hill countered that CSP reports are a potential privacy issue, in that it is data phoned home to a remote server. “CSP reporting helps a host to fix their own problems in configuring their server, it does not help at all to fix users' own problems. CSP reports are not for the benefits of users – to say so is just marketing,” he argued.

Essentially, uBlock Origin is trying to stop Google Analytics from tracking people across the web. Hill warned that spurious CSP reports may be generated when it neuters scripts, and it blocks these reports to prevent information leakage.

Helme told El Reg that uBlock Origin’s blanket policy was not only unworkable but ill-conceived. Any information reported back to a website from one of its own webpages should be known to the website anyway: the site generated the page, after all.

“uBO is taking unilateral and indiscriminate action against all reports,” Helme explained. “If they want to restrict reports caused by them then fair enough, but to stop the site sending any reports about security incidents just seems dangerous at best.

“I don't see how sending a CSP report to a reporting service is any more privacy violating than loading an image, script or stylesheet from a content delivery network. 99.99999 per cent of users aren't even going to know about CSP so suggesting that users can manually whitelist this to make it work is a non-starter."

The issue has sparked a lively debate on social media. Techie Dmitry Chestnykh, a uBlock Origin user, argued that the plugin is enhancing user privacy: "CSP reporting is not a security feature for users, CSP blocking is. It's not user's responsibility to report that your site is broken."

Paul Moore, a UK-based chief information security officer with an interest in web privacy, disagreed. "It seems bizarre that a plugin to aid security and privacy not only breaks enhanced user agent features but actively refuses to fix it," he said.

Meanwhile, Hill has since reopened Helme's bug to reinvestigate the matter, noting: "I will look into whether it is possible and practical for uBO to block only whatever CSP reports are fired as a result of uBO doing its job."

In short, if you use uBlock Origin, for now, your browser can't warn websites when they and their users are under attack from account and session hijackers.

uBlock Origin ad-blocker knocked for blocking hack attack squawking
 
Last edited:

Arequire

Level 23
Verified
Content Creator
For anyone knowledgeable about CSPs and CSP reporting: What benefit does a developer who's CSP is reporting a violation - let's say from a malicious javascript injection - receive from knowing each users' originating country (IP address) and which OS/browser is being used (user agent string)?
 

Arequire

Level 23
Verified
Content Creator
Seems that way according to Helme but if you listen to Raymond then not blocking the CSP reports is a privacy issue.

So who's knows. I do not.
It depends if you consider your IP address and user agent string crucial to your privacy or not.

Your public IP address doesn't give away your exact location but does give away which country you reside in. The issue is if it isn't a dynamic IP (which changes everytime you turn off your router) or you aren't using a VPN then you basically leave a trail across the internet as Mr 93.613.267.714. (That's a random string of numbers I generated, not a real IP address.)

You user agent string identifies your operating system and browser. It tells sites which OS you're using, if it's 32-bit or 64-bit, which browser you're using and what version of that browser. As you may know the online advertising industry combines your user agent string with other various elements about your browser and system hardware for use in device fingerprinting.
 
Last edited:

Arequire

Level 23
Verified
Content Creator
I do see them both as being crucial. Thanks for clarifying it a bit further. I have been using uBO for a great deal of time and have no plans to remove it.
The user agent by itself isn't a privacy risk. This is my non-spoofed user agent:

You can't really gleam anything worthwhile from it. The issue is when it's put together with information that can be used to partially or fully identify individual users or their devices.
 

ElectricSheep

Level 12
Verified
According to the report, uBlock origin does not pose a security risk to you the user. It deprives the website's owner of certain feedback from you, which can help him keep his website clean of malware.
Good point there, but wouldn't it help if the website owners were alerted to instances of malware as there will be visitors who AREN'T armed with uBlock Origin?
 

zzz00m

Level 5
I use uBlock Origin in all of my browsers. His focus is on protecting his users. If a reasonable compromise can be reached that addresses both the end user experience and the website operators need to know, I am in full support. Otherwise the end user trumps the hand!