And in the latest edition of “why you should HTTPS all the things”, I present to you Starbucks mining BTC in your customers’ browsershttps://twitter.com/imnoah/status/936948776119537665 …
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I thought you were going to show an interesting problem (like weakening CSP) but I don't see anything like that, just UBO doing its job...
Killing CSP is bad for everyone, @Scott_Helme and I have gone round and round with them on this
Killing CSP (which you can definitely do; I see the option in about:config) is definitely bad. Killing just reporting is either less-bad or good but doesn't seem to be offered.
Presumably there are privacy (re: extensions you're using, for example) reasons someone may want to block CSP reporting; without an option to do so they have to fully turn off CSP which seems very bad.
Extensions should not cause CSP reports, if they do then it's on the extension developer. Killing CSP and/or reports because an extension is doing something wrong is seriously not cool and bad for security.
It really depends on your perspective. I'm pretty sure it's possible to setup a site with bad resource links so that the server expects to see CSP reports, thereby detecting if user is blocking them.
There are easier ways to do that without having to use CSP.
Yes, of course. Maybe the motivations for disabling CSP reporting are minor in the big scheme of things, but still seems like it should be possible.
My view is pretty much always that the user-agent is called user-agent for a reason and shouldn't be doing anything the user doesn't want done.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.