-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow CSP reporting on the same domain #3062
Comments
LiCybora/NanoDefenderFirefox#196 (comment)
I'm glad |
Exactly why I use
CSP reporting on its own doesn't provide any identifying information (no IP, no browser info, not even browser type). Of course, you have an IP from the request itself, but that is the same as I already have for any standard API requests. Leaking IP, etc., is only a problem for 3rd-party reporting tools. As mentioned before, Mozilla's Firefox does support Note that I want to add CSP exactly because otherwise user data might leak out to 3rd parties. CSP is an extra layer of security for XSS problems, and XSS is an extra 3rd-party request (most of the time). Also, as a result of an attack, you could maybe even hijack an administrator password (which would be a huge privacy problem, not likely in our case, but more likely in a more generic situation). But I can just add CSP without reporting, right? No, unfortunately not. Excessively strict CSP might break some existing features. So, we cannot use a more strict CSP if we will not be able to monitor the situation properly. And a loose CSP means less security for users... I really don't want that extra security to die on the altar of stability, but that might be the reality of the situation. As a side note, I want to add that I looked through many documentation and articles on CSP lately. Most of them (almost all of them) point out that (as a starting point) you should always use reporting with
|
Check the wiki's section on CSP reports1 for arguments in favour of blocking these reports, as well as instructions for employing dynamic filtering rules to configure this on a per-site basis that works regardless of the relevant global setting. Maybe you could deploy2 the correct setup for your specific needs to just your clients. Footnotes |
Company I work for is selling a service and helpdesk. We are not selling systems with pre-installed Firefox. I can suggest some things, but cannot enforce them. I wouldn't even want to be able to enforce them. We have millions of users. Some of them are kids. We don't even have any actual analytical tools where kids are involved.
I can understand that you block 3rd-party calls. You should consider having different results for 3rd party calls and same domain. uBlock (by default) is not blocking images if ads come from same domain (1st-party).
It is a development tool, but not a tool that is only used during development. I wouldn't bother with reports if it would be only needed during development. I have a browser console for that.
I don't mind that uBlock can block CSP. By all means allow users to block any individual request. Just don't do it by default. That is all I ask. As said before, allowing CSP Reporting does actually benefit users. Various groups of users have different functions and use functions differently and they add various kinds of content to the app which make it behave differently. Although ideally one could test everything in-house it is not really feasible. CSP Reporting is made for that - make sure rules don't send any reports. If they do send reports in normal situations, then the rules need to relaxed before patching app. In abnormal situations, when a user is attacked, then the report is needed even more and benefit a user directly. |
Probably best is to add a sub-option to not block 1st-party CSP reports. |
Prerequisites
I tried to reproduce the issue when...
Description
CSP report-uri is blocked and I know this is intentional for 3rd-party requests, but uBO also blocks same-party requests (same domain). I understand concerns about data-leaks when sending CSP reports to a 3rd party sever. That is way I've written my own, simple reporting server... But that still doesn't work for FF+uBO. Note that this is quite important, because I actually encouraged clients to install Firefox with uBlock Origin. I have server stats and they are skewed towards Firefox (more FF users then in general population).
A specific URL where the issue occurs.
http://localhost/_test/CSP-policy-report/
Steps to Reproduce
Steps:
onclick
on a local Apache server. Example: CSP report test example.Header set ... "... ; report-uri /_test/csp-report-to/"
in.htaccess
.Example .hta:
This is the fetch request Firefox (Nightly) is doing when uBlock is disabled:
Expected behavior
uBO should allow 1st party requests for CSP reporting. CSP is crucial for security reasons, and reporting is, in our case at least, a service for our users. Our clients are public libraries, many lacking dedicated IT departments. Small libraries are fortunate if they receive a monthly visit from an IT professional. Our users also include children from primary schools who cannot report problems directly. Therefore, automatic reporting of security issues is essential. Both librarians and children are vulnerable to security problems such as XSS and clickjacking. If something is going on we could block a specific installation, inform librarians and investigate.
Additionally, note that CSP can report issues related to valid usages. Despite blocking our site's usage in an iframe (mostly due to clickjacking prevention), we still want the ability to identify valid use cases that we may consider allowing in the future.
Actual behavior
The CSP request is blocked. Even on the same domain. Even on localhost.
Note that FF itself doesn't block CSP reporting even in enhanced privacy mode.
uBO version
1.55.0
Browser name and version
Firefox Nightly v123.0a1
Operating System and version
Windows 10
The text was updated successfully, but these errors were encountered: