The favored content material blocking extension uBlock Origin blocks CSP reporting on web sites that make use of it if it injects neutered scripts.
CSP reviews any try of interfering with the location’s insurance policies with reference to scripts to the webmaster. This occurs when customers connect with the location, and is utilized by site owners to research and resolve the detected points.
Scott Helme opened a help ticket on the official uBlock Origin GitHub web page a few days in the past through which he said that the content material blocker was blocking the “sending of legit CSP reviews”.
It’s true that reviews are blocked. You’ll be able to go to his web site, https://scotthelme.co.uk/, and examine the community log in your browser of option to see the failed reporting makes an attempt if in case you have uBlock Origin put in within the browser.
Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug however by design. The extension blocks the sending of CSP reviews if it injects a neutered Google Analytics script.
The browser extension uBlock Origin blocks Google Analytics to forestall person monitoring. Since some websites cease working appropriately if Google Analytics will not be loaded correctly, a neutered script is injected as an alternative to scale back the chance of web sites breaking.
CSP reviews could also be fired due to the injecting of the neutered scripts, and uBlock Origin blocks these as effectively to forestall info leakage.
uBO will not be the trigger of person info being leaked. The consequence of uBO doing its job (injecting neutered scripts) might trigger CSP reviews to be fired, therefore uBO blocks CSP reviews.
Each community request which leaves a person agent have to be for the good thing about the person, together with CSP reviews. The person agent will not be owned by the distant server such that it will get to resolve what ought to by no means be blocked or not.
Therefore if a community request to a distant server is doubtlessly detrimental to the person, it will get blocked, particularly if that community request is fired solely because of uBO doing its job. That is such case right here.
Principally, what it comes right down to is the next: uBlock Origin acts in the beginning on behalf of its customers. Which means that it’s going to block the sending of CSP reviews that might be a results of the extension injecting neutered scripts to dam info such because the person’s IP deal with, person agent and time and date the requests had been made.
Third-parties might abuse the system for person monitoring, and that’s one more reason why these reviews are blocked in uBlock Origin.
The extension doesn’t block all CSP reviews. It solely does so provided that a neutered script is injected by the extension on a web page. This occurs solely clearly if a useful resource on the web page was blocked, say Google Analytics was blocked, and if a neutered model of the script exists. No CSP report is blocked if that’s not the case.
Raymond Hill will launch an replace to the WebExtensions variations of uBlock Origin within the close to future that distinguishes between CSP reviews attributable to the injecting of neutered scripts and common CSP reviews. CSP reviews are assumed spurious if, for no matter cause, uBlock Origin can’t parse the report nonetheless.
Customers come first relating to uBlock Origin, and that is likely one of the the reason why the extension and its developer are as widespread as they’re.