uBlock Origin criticized for blocking CSP
The popular content blocking extension uBlock Origin blocks CSP reporting on websites that make use of it if it injects neutered scripts.
CSP reports any attempt of interfering with the site's policies in regards to scripts to the webmaster. This happens when users connect to the site, and is used by webmasters to analyze and resolve the detected issues.
- uBlock Origin: official repository and downloads
- uBlock Origin: how to remove any element from a page permanently
Scott Helme opened a support ticket on the official uBlock Origin GitHub page a couple of days ago in which he stated that the content blocker was blocking the "sending of legitimate CSP reports".
It is true that reports are blocked. You can visit his website, https://scotthelme.co.uk/, and check the network log in your browser of choice to see the failed reporting attempts if you have uBlock Origin installed in the browser.
Raymond Hill, the developer of uBlock Origin, replied stating that this was not a bug but by design. The extension blocks the sending of CSP reports if it injects a neutered Google Analytics script.
The browser extension uBlock Origin blocks Google Analytics to prevent user tracking. Since some sites stop working correctly if Google Analytics is not loaded properly, a neutered script is injected instead to reduce the likelihood of sites breaking.
CSP reports may be fired because of the injecting of the neutered scripts, and uBlock Origin blocks those as well to prevent information leakage.
uBO won't beÂ the causeÂ of user information being leaked. The consequence of uBO doing its job (injecting neutered scripts) may cause CSP reports to be fired, hence uBO blocks CSP reports.
Every network request which leaves a user agent must be for the benefit of the user, including CSP reports. The user agent is not owned by the remote server such that it gets to decide what should never be blocked or not.
Hence if a network request to a remote server is potentially detrimental to the user, it gets blocked, especially if that network request is fired solely as a result of uBO doing its job. This is such case here.
Basically, what it comes down to is the following: uBlock Origin acts first and foremost on behalf of its users. This means that it will block the sending of CSP reports that could be a result of the extension injecting neutered scripts to block information such as the user's IP address, user agent and time and date the requests were made.
Third-parties could abuse the system for user tracking, and that is another reason why these reports are blocked in uBlock Origin.
The extension does not block all CSP reports. It only does so only if a neutered script is injected by the extension on a page. This happens only obviously if a resource on the page was blocked, say Google Analytics was blocked, and if a neutered version of the script exists. No CSP report is blocked if that is not the case.
Raymond Hill will release an update to the WebExtensions versions of uBlock Origin in the near future that distinguishes between CSP reports caused by the injecting of neutered scripts and regular CSP reports. CSP reports are assumed spurious if, for whatever reason, uBlock Origin cannot parse the report however.
Users come first when it comes to uBlock Origin, and that is one of the reasons why the extension and its developer are as popular as they are.