Breaking functionality, removing legit content, killing CSP reports
-
-
Replying to @troyhunt @wetcoastlife
I've never seen ublock break any web pages in the two years I've been using it, but of course that's only one anecdotal data point
1 reply 0 retweets 1 like -
Replying to @notnullnotvoid @wetcoastlife
Try my blog and see if kills the sponsor message. Or try this and see if it kills the CSP report: http://reporturidemos.azurewebsites.net/upgrade-https-and-report …
2 replies 0 retweets 2 likes -
Replying to @troyhunt @wetcoastlife
I thought you were going to show an interesting problem (like weakening CSP) but I don't see anything like that, just UBO doing its job...
1 reply 0 retweets 0 likes -
Replying to @RichFelker @wetcoastlife
Killing CSP is bad for everyone,
@Scott_Helme and I have gone round and round with them on this1 reply 0 retweets 0 likes -
Killing CSP (which you can definitely do; I see the option in about:config) is definitely bad. Killing just reporting is either less-bad or good but doesn't seem to be offered.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @troyhunt and
Presumably there are privacy (re: extensions you're using, for example) reasons someone may want to block CSP reporting; without an option to do so they have to fully turn off CSP which seems very bad.
1 reply 0 retweets 0 likes -
Extensions should not cause CSP reports, if they do then it's on the extension developer. Killing CSP and/or reports because an extension is doing something wrong is seriously not cool and bad for security.
1 reply 0 retweets 0 likes -
It really depends on your perspective. I'm pretty sure it's possible to setup a site with bad resource links so that the server expects to see CSP reports, thereby detecting if user is blocking them.
1 reply 0 retweets 0 likes -
There are easier ways to do that without having to use CSP.
1 reply 0 retweets 0 likes
Yes, of course. Maybe the motivations for disabling CSP reporting are minor in the big scheme of things, but still seems like it should be possible.
-
-
Replying to @RichFelker @Scott_Helme and
My view is pretty much always that the user-agent is called user-agent for a reason and shouldn't be doing anything the user doesn't want done.
1 reply 1 retweet 3 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.