Which is a point that I made from the opposite angle.
![how to whitelist a website using ublock via facebook how to whitelist a website using ublock via facebook](https://www.softwaretestinghelp.com/wp-content/qa/uploads/2022/01/uBlock-Origin.png)
It is possible that my safety is improved because another user submitted a report from their browser where mine didn't react correctly. Or looking from another angle, if the CSP didn't "save us", then neither could the owner "be informed" via the CSP rule. It is only after 2 occurs that you can possibly receive an error report. The site is designed in such a way to allow 1 to restrict enough things that miscreants might exploit. The browser reacts correctly to the directiveģ. The website has implemented it allowing only what is needed.Ģ. For a start, it not comparable to relying upon WAF to avoid worrying about input sanitisation. With respect, some of those arguments don't really hold water. Why should my privacy be decreased because they choose a browser with less support for a security feature? The only people to benefit from this report are the site owner (if misconfigured) or old IE/Safari users whose CSP isn't processed or isn't processed correctly. The complaint is that this report is blocked. The reporting allows the browser to submit details of the violation. It could be that the site owner had misconfigured the CSP or that some MitM is modifying the http pages or that some advertising network is trying to fingerprint the visitor, but either way, the browser has correctly blocked it. Basically, if your browser is submitting a report, it has already protected you. When the browser renders the page and is asked to fetch resources, less sucky browsers will refuse to load those resources. So I can say that the only domains that may deliver inline scripts are xyz, and the only ones that can deliver media are cloudflare etc. They are some of the brightest minds in info sec.ĬSP, for the uninitiated amongst you, allows you to specify the domains that are permitted to serve what types of content to your pages. What we object to is the attempt to stick a sewage pipe into our homes at the same time with no justification other than that since we're OK with a small amount of unavoidable shit, we must also be fine accepting whatever amount their able to shovel in after it.
![how to whitelist a website using ublock via facebook how to whitelist a website using ublock via facebook](https://liliputing.com/wp-content/uploads/2019/02/micro-pac-man-700x449.jpg)
In fact this is a particular good analogy since horses inevitably come with their own supply of manure, and people are generally perfectly willing to accept that small amount that is necessary for it to function normally. Which completely misses the point that I don't care how pure the manure their dumping in my house is, I don't want any of it. Since there is no contract requiring me to accept the manure and no legitimate reason for it to actually be there, they're left with complaining that blocking it degrades their ability to check the manure for purity. The website insists on trying to dump manure into my house at the same time, and Adblock, Noscript and similar are attempts to block the manure while still being able to ride the horse. No, you've missed a rather important part, albeit one I didn't make clear in the analogy - I did not sign up to a service that promised to deliver manure, I signed up for a horse. "It's more like you installed a pipe from a service that promised to deliver manure, then got upset when your careful shoveling did not reveal sufficient horses mixed in, and decided to complain about the smell." uBlock simply blocks the pipe off and stops any of the shit coming in, so now they complain that their analysis tools no longer work and they can't tell who might be trying to dump shit on me some of that shit might be illegitimate shit that I wouldn't want inside my house! Having successfully blocked off the flow of all shit, I unsurprisingly don't give a shit.
![how to whitelist a website using ublock via facebook how to whitelist a website using ublock via facebook](https://www.ghacks.net/wp-content/uploads/2017/02/ublock-origin.png)
CSP is an attempt to detect if anyone else drills a hole into the pipe before it reaches my house and adds some of their own shit to it, by analysing the shit inside my house. If my implementation of a whitelist interferes with theirs, that's entirely their own fault for forcing me to do it in the first place.Įssentially, what they want is the right to stick a sewage pipe though my wall to spew shit into my home. We are forced to use addons like uBlock and Noscript precisely because the places the website author wants to allow to run scripts are not places I want to allow to run scripts. Which is ultimately the root of the whole problem. "CSP itself ensures that resources can only be delivered from the places that the website author intended."