Hi there,
I'd like to know what the CSP reports to fake-domain.noscript.net are all about in the new WebExtension version of NoScript. I've noticed that they fire on every page that isn't whitelisted in NoScript (first party). Please have a look at this uBO bug report on GitHub. As gorhill (main developer of uBlock Origin) warns, those CSP reports have the potential to leak my detailed browsing history to fake-domain.noscript.net!
noscript.net being able to track my browsing history?
noscript.net being able to track my browsing history?
Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Re: noscript.net being able to track my browsing history?
https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/#comment-38450 wrote:"fake-domain.noscript.net", as the name implies, is a domain which does not resolve to anything, and since noscript.net is under my control I can make sure nobody makes it real domain. It's used as the report URI for the script-blocking CSP, in order to catch LOCALLY whatever has been blocked by NoScript and show it in the UI. As soon as the request is initiated, is processed LOCALLY by NoScript and blocked, so the information never leaves the browser. If, by accident (e.g. because you disable NoScript while a page with the CSP loaded is still active) the CSP report is fired and not caught, as I said the domain doesn't resolve and the request just times out.
*Always* check the changelogs BEFORE updating that important software!
-