InformAction Forums

Hello.

I would like to ask a question, mainly to Mr Maone, about "noscript-csp.invalid" website. It's a little bit confusing, because CSP is maklng a network requests as a result of browser reporting Content Security Policy violations to a remote server (do we trust remote servers?). On the other hand, CSP was added as a layer of security to detect and mitigate a various types of attacks, for example: Cross Site Scripting (XSS) and so on. These attacks, "exploit the browser's trust of the content received from the server" and "Malicious scripts are executed by the victim's browser (...)" etc. And here NoScript can helps, right? I apologize for such an introduction, but I really don't know what to do with "CSP" option in uBO.

Generally, I just want to know what should I do: allow or deny? According to a pretty long Mr Maone statement, there is no privacy issues (for more informations, please see 1.) Thank You, Mr Maone! Last year, there was a few discussions about that (please see 2., 3.) However, there is a possibility that blocking CSP via uBlock Origin can be incompatible with NoScript's way of using CSP reports.

I'm asking, because CSP ("Content Security Policy") aims to do to a few security related things such as: "mitigating the risk of content injection vulnerabilities such as cross-site scripting, and reducing the privilege with which applications execute." It's a tool which developers can use to lock down their applications in various ways etc.

Here are some excerpts/examples to show uBO logs about "noscript-csp.invalid" website etc. That is what happens in the case of:

✗ blocking
✓ allowing
As we can see, there is a lack of the first two column (see 2. log entry; first contain w3c.github.io...). So, what should I do - or what are you doing - with "noscript-csp.invalid" in uBlock Origin: block, allow? Websites seems to work correctly and okay when it's blocked (red color) and allowed (gray/green colors). But what about an impact on security?

Mr Maone, can You provide your opinion on this one? Since You are an owner of the "noscript.net" and it is under your control, I think your opinion will be the most valuable. What users of uBlock Origin and NoScript should do: Block CSP reports or not checking this option at all? And if users will decide to block these reports via uBO, how could it affect NoScript main feature: securing our computers etc.?

Yes, I know that it's a NoScript forum, but I think, that many users are using NoScript along with uBO. And since both addons, at least in the case of CSP have an impact on themselves, I think there should be something like "an official" answer, advice on what users should do and so on.

Thanks, regards.
______________
1. https://hackademix.net/2017/11/21/noscr ... ment-38450
2. https://github.com/gorhill/uBlock/issues/3260
3. https://github.com/gorhill/uBlock/issues/3140

Giorgio has already provided an official answer...and you posted the link to it. No need to ask him to repeat himself.

Your uBlock Origin question was answered by gorhill (uBlock Origin dev) at bottom of your link 2. - https://github.com/gorhill/uBlock/issue ... -346452328

Please also notice that since my comment you quoted, I did also change the endpoint of the report to a *.invalid domain, which as the name implies is reserved and guaranteed to never been used as an actual endpoint. And again, this would be only a fallback in case NoScript for some reason (i.e. some bug) is unable to block it.

Hi. Thanks for an answer. So, there is no reason to block CSP in uBO, right? Sorry for such a naive question, but I want to be 100% sure, that this option (I mean blocking CSP in uBlock Origin) have no effect on any NoScript's protection mechanism etc.

sodead wrote:Hi. Thanks for an answer. So, there is no reason to block CSP in uBO, right? Sorry for such a naive question, but I want to be 100% sure, that this option (I mean blocking CSP in uBlock Origin) have no effect on any NoScript's protection mechanism etc.

If you block CSP reports to noscript-csp.invalid NoScript may or may not be affected, depending on the precedence (unpredictable) which the webRequest listeners of NoScript and uBlock Origin are called with.
But yes, there's no reason to block it: as I said, there's no actual site to collect the information and it could never be, and NoScript itself blocks the request after it's been processed internally.

Hello. I'm sorry for such a long time without answer. Mr. Maone thank You very much for an answer and clarifications on this one issue. I've always had a dillema: block CSP in uBlock Origin or not block. Now, everything is clear: we should not blocking CSP report in uBlock Origin! It's about users of both addons, of course.

I hope, that this thread will be helpful for other NoScript v10 and uBlock Origin users, that don't know what to do etc. Blocking CSP options appeared a few uBO releases back and I think, that most users will check this option to block CSP reports, because it's placed in a Private section.

So, maybe there could/should be something like an official statement, for example, on a hackademix.net website and/or noscript.net/getit websites? I think, that it's pretty important to inform all users what to do. Especially after Your own words: "NoScript may or may not be affected (...)"

Thanks.

sodead wrote:Now, everything is clear: we should not blocking CSP report in uBlock Origin! It's about users of both addons, of course.

I hope, that this thread will be helpful for other NoScript v10 and uBlock Origin users, that don't know what to do etc. Blocking CSP options appeared a few uBO releases back and I think, that most users will check this option to block CSP reports, because it's placed in a Private section.

You can check that option if you add an exception for noscript-csp.invalid as described in the issue you linked -

Hi Barbaz. Thank You for an answer. Yes, I though about this "solution", but what about Mr Maone words: ""NoScript may or may not be affected (...)"? Mentioned by You: no-csp-reports: noscript-csp.invalid false should be added in uBlock Origin ("My rules" tab), right? I'm sorry for such a naive question, but I want to 100% sure.

Barbaz, do You think, that if this soultion (I mean rule) is okay and allows to block CSP reports, then it should be done and Block CSP reports options checked? What do You think and what You did?

Thank You.

sodead wrote:Hi Barbaz. Thank You for an answer. Yes, I though about this "solution", but what about Mr Maone words: ""NoScript may or may not be affected (...)"? Mentioned by You: no-csp-reports: noscript-csp.invalid false should be added in uBlock Origin ("My rules" tab), right? I'm sorry for such a naive question, but I want to 100% sure.

Yes add to "My rules" tab. That rule is the solution to "NoScript may or may not be affected". It ensures NS won't be affected.

sodead wrote:Barbaz, do You think, that if this soultion (I mean rule) is okay and allows to block CSP reports, then it should be done and Block CSP reports options checked?

That's up to you to decide whether you want to block CSP reports by default or not.

Hi. OK, I understand, but I would like to read also Mr Maone opinion about 'no-csp-reports: noscript-csp.invalid false' option. But thank You. Barbaz, one more thing: do you use the uBlock Origin addon? If yes, then how did you manage this: are you blocking CSP reports or are you "set", leave this, as it is - by default - not checking/setting at all?

Barbaz, I'm sorry for all my naive questions, but CSP is important and similar issues, should be solved the best way. And what do You think about something like "an official" statement, note etc. on hackademix.net website? I mean a short information or post for NoScript and uBlock Origin addons related to the CSP, of course. I think, that there are many users who does not checking this forum but hackademix.net only (I did it myself for a long time).

It could be, for example: "CSP reports: To everyone who uses NoScript and uBlock Origin addons" and next briefly describing what CSP is (please see: 1.) and possible impact of this option (blocking CSP reports in uBO) on the NoScript (still, Mr Maone words: "NoScript may or may not be affected (...)"; yes, You have already explained it). Still increasing numbers of threats, forces many Organizations and companies, that create and develop various standards for the Internet, to implement mechanisms, that allow programmers to fight attacks against web applications more effectively etc. And CSP (Content Security Policy) is one of such standard.

Thanks, best regards.
___________________
1.: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

sodead wrote:Barbaz, I'm sorry for all my naive questions, but CSP is important and similar issues, should be solved the best way. And what do You think about something like "an official" statement, note etc. on hackademix.net website? I mean a short information or post for NoScript and uBlock Origin addons related to the CSP, of course. I think, that there are many users who does not checking this forum but hackademix.net only (I did it myself for a long time).

My stance is that you shouldn't generally mess with CSP reports, as they help site operators to better manage the security of their web application.
I don't think an "official statement" about it is in order, maybe a FAQ about NoScript's usage of those as soon as I manage to restructure noscript.net around Quantum.
However, I agree that since most if not all the effective user support is done here, more prominent pointers to this forum are needed at noscript.net, at hackedmix.net and AMO (beyond the links that are already there).