uBlock Origin ad-blocker knocked for blocking hack attack squawking

https://www.theregister.co.uk/2017/10/17/ublock_origin_csp_reports/

Block all the things! No, wait, not the XSS security alerts

Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from sounding the alarm on hacking attacks.

..........

It's supposed to kill cross-site-scripting, aka XSS, attacks, and automatically report hacking attempts back to the website's administrators. It's very handy.

However, uBlock Origin is blocking browsers from sending these CSP alerts, infosec consultant Scott Helme reported on Monday in a bug report on the uBlock Origin GitHub repo. The free Chrome and Firefox plugin bins all CSP reports if any script neutered to protect the user's privacy is allowed onto the page, such as a defanged Google Analytics script.

In his bug report, Helme wrote:

uBO is blocking the sending of legitimate CSP reports. I have a policy setup on https://scotthelme.co.uk which fires multiple reports that are all blocked.

..........

uBO will block CSP reports if it injects at least one neutered script in a page. This is what is happening on https://scotthelme.co.uk/, uBO is injecting a neutered Google Analytics script. In such case, uBO conservatively assumes that the injected script is what is causing the CSP reports and blocks them. If you create an allow rule for Google Analytics for that site, the CSP reports are not blocked

The trouble is that websites won't receive alerts from browsers when uBlock Origin is installed and miscreants are trying to execute XSS attacks. That means site developers and admins may be unaware of attempts to exploit weaknesses in their code, vulnerabilities may not be addressed, and people may end up losing control of their accounts if attacked. Ultimately, Helme and others want to end uBlock Origin's broad blockade of CSP alerts.

..........

  ex Wikipedia (page last edited on 7 October 2017, at 13:58):

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Bug bounty company HackerOne in 2017 reported that XSS is still a major threat vector.[2] XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

..........