back to article uBlock Origin ad-blocker knocked for blocking hack attack squawking

Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from sounding the alarm on hacking attacks. At the heart of the matter is a fairly new technology called content security policy reporting, or CSP reporting. It's …

  1. Pascal Monett Silver badge
    WTF?

    Hang on a minute

    "Helme told El Reg that uBlock Origin’s blanket policy was not only unworkable but ill-conceived. Any information reported back to a website from one of its own webpages should be known to the website anyway: the site generated the page, after all."

    So you're saying that anything reported back should be known anyway, then you knock uBlock for not reporting ?

    If you know it, you don't need a report. So what's the problem ?

    As for me, you're not getting a report anyway, because NoScript. There is yet to be a hack that can pass NoScript.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hang on a minute

      I disagree with Mr Helme. It is up to the user to choose what is going to be downloaded and what, if any, information is going to be sent out. What does appear ill-conceived to me is CSP (in fact, I thought it had died a death. Sadly that's not the case yet but with any luck uBlock will contribute to it).

      uBO's policy is what I, as a user, expect.

      By the way, I find Mr Helme's argumentative approach rather annoying too.

    2. ScottHelme

      Re: Hang on a minute

      "So you're saying that anything reported back should be known anyway, then you knock uBlock for not reporting ?"

      That particular comment was regarding information about the user and their privacy. Sending a report discloses the user's IP address and User-Agent string for the browser, but the site already knows those so there is no additional privacy concern.

    3. DropBear Silver badge
      Mushroom

      Re: Hang on a minute

      Terribly sorry, I'm with the "feature, NOT bug" crowd here. I feel no obligation to assist said website with any reports about anything, not any more than I refuse to send anyone "crash reports" - it's MY choice, and the answer is no, regardless of what you justify wanting to hear from me with. You clean up your own damn mess and I take responsibility for mine - any attempts to "collaborate" are NOT welcome and WILL be blocked.

      1. Ben Tasker Silver badge

        Re: Hang on a minute

        Terribly sorry, I'm with the "feature, NOT bug" crowd here. I feel no obligation to assist said website with any reports about anything,

        The flipside of that, of course, is that the day you visit with a "fresh" browser (having forgotten to install Noscript/uBlock et al) and get pwned via XSS, it's partly your own fault as the site admin could have received warnings at an earlier stage if you'd only been prepared to provide them.

        That said, that's a trade-off I'm willing to make - it's an issue of consent in my mind.

        Though I'd describe this less as a "feature" of uBlock as lack of a feature - there should be a toggle so the user can choose to enable CSP reports if they want (rather than having to update the whitelist).

      2. rmason Silver badge

        Re: Hang on a minute

        @DropBear

        That's also how I feel.

        If i'm running something that purports to BLOCK things I don't know are happening, or I don't want to happen, or are happening without my approval. That's what I want it to do.

        Not block "some stuff" but not "some other stuff that you, the user, don't understand anyway, just don't worry about it, OK?"

        Otherwise, a random amount of time down the line, we would be hearing about how they weren't blocking [scripting thing X] or [protocol Y] when they should have been.

        This is the far preferable version of the story to be reading, IMO.

  2. Anonymous Coward
    Anonymous Coward

    text not showing up in reader mode

    When I use reader mode on my phone thi paragraph and the one like it farther down the page don't show

    "uBO is blocking the sending of legitimate CSP reports. I have a policy setup on https://scotthelme.co.uk which fires multiple reports that are all blocked."

  3. Anonymous Coward
    Anonymous Coward

    Ah, so the loudhailer trick

    "Helme told El Reg [blah]"

    In other words, Scott Helme contacted El Reg to try to push his side of an argument that he is losing on technical and social merits?

    How about stopping the whingeing and recognising that users do have legitimate privacy concerns which *by far* trump any developer benefit that may be had from CSP reports.

  4. EveryTime Silver badge

    Ahhhh, four comments in and it appears that we readers have near-100% understanding of the issue.

    1. m-k

      Ahhhh, but "99.99999 per cent of users aren't even going to know about CSP" so it's allright then ;)

      ...

      I suspect that the percentage is "somewhat" different when you consider 99.0000% of adblock users, but hey, what counts is the 99.9999 of internet users, who don't give a flying about anything :/

  5. Anonymous Coward
    Anonymous Coward

    Just make every page send a 'report' to a central ad server.. voila, your browsing history across multiple sites, without a cookie in sight.

    Good on ublock origin.

    CSP to limit what javascript can run on a page makes sense (in the absence of any browser manufacturer actually being prepared to make javscript secure by default). These reports? Needless bloat that means everyone with any sense will block the whole thing instead.

  6. Kevin McMurtrie Silver badge

    The other use of everything good

    It does look like CSP reports could be used for precise browser fingerprinting, analyzing whether or not certain sites are reachable, and analyzing load times.

    It's hardly the worst thing about browsers, though. I tried to convince an IT department of a previous employer that many browsers were an incredible security risk because they used remote URL completion assistance. They were leaking the title of every confidential Confluence page in the company, and a recipient of that confidential data was business partner. (IT told me to not worry.)

  7. PC LOAD LETTER

    No thanks...

    Sorry, it's not my job to fix your busted webpage...

    1. Roland6 Silver badge

      Re: No thanks...

      CSP reports don't fix busted webpages...

      I thought their intent was to flag to webmasters that their site contains broken/compromised pages, so enabling them to do their job.

      Obviously, the implementation of this useful service may have resulted in the original intent being forgotten or simply written out of the specification...

  8. Tim99 Silver badge
    Joke

    Trust Google?

    So Mr Helme likes Google Analytics for this. Can I suggest a compromise that he could suggest to uBlock - Allow anything that goes to his own domain (and possibly Mozilla) and block Google and everything else?

  9. jMcPhee

    Just another telemetry wheeze

    Helme's probably just fine with Win10 telemetry and mandated patching. Big brother always knows what's best for you.

  10. ThatOne Silver badge
    Paris Hilton

    What's the point of CSP anyway?

    Somebody please help me understand:

    CSP reports tell the website owner if malicious scripts have been injected. They don't alert the user, they only alert the website owner (for instance Equifax). Isn't it?

    If that's true, what's the point of those reports? 99% of big websites won't care (if only because CSP messes with ad delivery I guess). Those who might care (the potential victims) don't get to see those violation reports anyway if I got it right (at least not before it's too late anyway). So, what's the point in CSP?

    1. Adam 1 Silver badge

      Re: What's the point of CSP anyway?

      You are mixing up CSP with the optional report.

      CSP itself ensures that resources can only be delivered from the places that the website author intended. It is a directive to your browser. When your browser encounters a request in violation of this policy, your browser will block it*. Where the report Uri is defined, your browser will inform the website about which policies are in violation.

      This may alert the website if they are being attacked via their ad network or if their CSP is blocking needed resources. The CSP is almost certainly protecting you. The report might help other users.

      *Just like all web things YMMV with different browsers. IE and Safari have notably lower support for the standard than Firefox or Chrome.

      1. Cuddles Silver badge

        Re: What's the point of CSP anyway?

        "CSP itself ensures that resources can only be delivered from the places that the website author intended."

        Which is ultimately the root of the whole problem. We are forced to use addons like uBlock and Noscript precisely because the places the website author wants to allow to run scripts are not places I want to allow to run scripts. If my implementation of a whitelist interferes with theirs, that's entirely their own fault for forcing me to do it in the first place.

        Essentially, what they want is the right to stick a sewage pipe though my wall to spew shit into my home. CSP is an attempt to detect if anyone else drills a hole into the pipe before it reaches my house and adds some of their own shit to it, by analysing the shit inside my house. uBlock simply blocks the pipe off and stops any of the shit coming in, so now they complain that their analysis tools no longer work and they can't tell who might be trying to dump shit on me; some of that shit might be illegitimate shit that I wouldn't want inside my house! Having successfully blocked off the flow of all shit, I unsurprisingly don't give a shit.

        1. JLV Silver badge

          Re: What's the point of CSP anyway?

          CSP is a whitelist tech on the server side telling your browser where they _intend_ to serve scripts from.

          Idea is that if someone's JS hacks in, your browser won't see it as part of the conversation.

          It has zilch to do with your own whitelisting. Doesn't supersede it, interfere with it. The site's whitelist can be extremely restrictive or it can serve up Taboola, Zergnet and Facebook crud, just a site wo CSP can choose to pollute you or not. It also has zilch to do with a site serving up malicious content by choice.

          Either way you still get to choose what you want to load so I am unsure about the point you're making, except that we both hate all the drivel that a typical website typically tries to foist on you.

          Agressive NoScript user myself.

        2. Anonymous Coward
          Anonymous Coward

          Re: What's the point of CSP anyway?

          Brilliant, please accept this up vote, plus sign, approval, whatever this site does, for your answer that made me chuckle.

        3. Orv Silver badge

          Re: What's the point of CSP anyway?

          Essentially, what they want is the right to stick a sewage pipe though my wall to spew shit into my home.

          Well, except that no one is forcing you to visit any given website. It's more like you installed a pipe from a service that promised to deliver manure, then got upset when your careful shoveling did not reveal sufficient horses mixed in, and decided to complain about the smell.

          1. Cuddles Silver badge

            Re: What's the point of CSP anyway?

            "It's more like you installed a pipe from a service that promised to deliver manure, then got upset when your careful shoveling did not reveal sufficient horses mixed in, and decided to complain about the smell."

            No, you've missed a rather important part, albeit one I didn't make clear in the analogy - I did not sign up to a service that promised to deliver manure, I signed up for a horse. The website insists on trying to dump manure into my house at the same time, and Adblock, Noscript and similar are attempts to block the manure while still being able to ride the horse. Since there is no contract requiring me to accept the manure and no legitimate reason for it to actually be there, they're left with complaining that blocking it degrades their ability to check the manure for purity. Which completely misses the point that I don't care how pure the manure their dumping in my house is, I don't want any of it.

            In fact this is a particular good analogy since horses inevitably come with their own supply of manure, and people are generally perfectly willing to accept that small amount that is necessary for it to function normally. What we object to is the attempt to stick a sewage pipe into our homes at the same time with no justification other than that since we're OK with a small amount of unavoidable shit, we must also be fine accepting whatever amount their able to shovel in after it.

            1. Orv Silver badge

              Re: What's the point of CSP anyway?

              My point is this is a voluntary transaction. You seem like the kind of person who would go into a sports bar and ask them to turn off the game because there are commercials in it.

    2. ScottHelme

      Re: What's the point of CSP anyway?

      If websites don't want CSP or reports then they wouldn't enable it, it's an opt-in feature. This means that those who have enabled it wanted to enable it and will also want the reports to fix problems raised.

      Showing CSP reports to the user would increase warning fatigue and be detrimental to the user experience. Should we visually display all warnings that appear in the console to the user?

      1. Anonymous Coward
        Anonymous Coward

        Re: What's the point of CSP anyway?

        > If websites don't want CSP or reports then they wouldn't enable it, it's an opt-in feature.

        Opt-in for the developer. No-choice for the user. Terrible design decision that needs correcting ASAP which, incidentally, is what uBO does.

        > Showing CSP reports to the user would increase warning fatigue and be detrimental to the user experience.

        In other words, CSP is ill thought out.

      2. Anonymous Coward
        Anonymous Coward

        Re: What's the point of CSP anyway?

        By the way Scott, did you initiate contact with The Register yourself over this issue?

        Allow me to tell you gently, that is a very immature and underhanded way of handling a situation like this.

        I do hope you will be compensating Raymond Hill for the time he is now wasting dealing with this non-issue.

      3. Anonymous Coward
        Anonymous Coward

        Re: What's the point of CSP anyway?

        Scott,

        Take a look through all of these comments. I think you will see that your position is very unpopular.

        Hell, I manage several e-commerce sites for a mid size company, and even I think you are wrong!

      4. Gnisho

        Re: What's the point of CSP anyway?

        "To save user privacy, we had to invent a new way to compromise it."

        Thank you, Scott, for saying up front that this feature is not for the user. Now kindly go re-evaluate what's implemented here as compared to user's privacy goals, and maybe also re-evaluate your entire life. Thanks.

  11. 404 Silver badge

    Fuck 'em

    Using UBO, ABP, Ghostery, and HTTPS Everywhere.

    Anyone else miss the Internet of the late 1990's, early 2000's when spam was the biggest PITA?

    I do.

    1. BongoJoe

      Re: Fuck 'em

      I miss the internet of the early days when if you didn't know the eMail address of anyone in a firm then a single message to one address (I have forgotten which now) would give the directory listing of everyone inside.

      Of course, this useful function got abused and has been consigned to history. Thank the spammers for this.

  12. Adam 1 Silver badge

    disagree with Scott and Troy

    ... and don't type that very often. They are some of the brightest minds in info sec.

    CSP, for the uninitiated amongst you, allows you to specify the domains that are permitted to serve what types of content to your pages. So I can say that the only domains that may deliver inline scripts are xyz, and the only ones that can deliver media are cloudflare etc.

    When the browser renders the page and is asked to fetch resources, less sucky browsers will refuse to load those resources. Basically, if your browser is submitting a report, it has already protected you. It could be that the site owner had misconfigured the CSP or that some MitM is modifying the http pages or that some advertising network is trying to fingerprint the visitor, but either way, the browser has correctly blocked it. The reporting allows the browser to submit details of the violation. The complaint is that this report is blocked. The only people to benefit from this report are the site owner (if misconfigured) or old IE/Safari users whose CSP isn't processed or isn't processed correctly. Why should my privacy be decreased because they choose a browser with less support for a security feature?

    1. ScottHelme

      Re: disagree with Scott and Troy

      I'm curious how your privacy is decreased by sending a CSP report, especially if that report is sent back to the same host.

      If the site has an XSS vulnerability then the report would inform the site owner who could take action to fix the underlying cause. I'm not really comfortable with the approach of assuming CSP will always save us. It's a bit like the old problem I came across in the financial sector a lot: "Ah we have a SQL injection flaw but don't worry we have a rule in the WAF to stop it". CSP is not a final solution, much like the WAF rule isn't. It's a temporary measure to address the problem while the root cause is identified and fixed. Unlike us easily being able to get reports for WAF blocks we depend on the UA to send reports of CSP blocks.

      1. Graham Cobb

        Re: disagree with Scott and Troy

        I'm curious how your privacy is decreased by sending a CSP report, especially if that report is sent back to the same host.

        I don't know. Possible issues may be discovering how I use GreaseMonkey, or DeCentralEyes.

        But just because neither of us can work out how to abuse a new feature not widely in use at all yet, that does not give me any confidence that it cannot be abused. It hasn't been very long since no one realised that canvas was a privacy violation.

        As a general principle, I do not permit anyone to receive anything except the most limited information. I don't use UBO (I have other tools) but certainly will not be permitting CSP reports to be sent to most sites. I might make a few exceptions if it seems particularly worthwhile for some site and I particularly trust them. Just like I make a few exceptions to allow some applications to report crashes.

      2. Adam 1 Silver badge

        Re: disagree with Scott and Troy

        With respect, some of those arguments don't really hold water. For a start, it not comparable to relying upon WAF to avoid worrying about input sanitisation. CSPs are effective to the extent that

        1. The website has implemented it allowing only what is needed.

        2. The browser reacts correctly to the directive

        3. The site is designed in such a way to allow 1 to restrict enough things that miscreants might exploit.

        It is only after 2 occurs that you can possibly receive an error report. Or looking from another angle, if the CSP didn't "save us", then neither could the owner "be informed" via the CSP rule. It is possible that my safety is improved because another user submitted a report from their browser where mine didn't react correctly. Which is a point that I made from the opposite angle. It is not their responsibility to protect me from my browser choice.

        Do I have a specific exploit in mind? No, but miscreants are a lot more creative than me, but let's don my evil Adam1 hat and give it a go. A user may have some crazy notion that executing unverified code from a site who you have no prior knowledge about. So they may have scripts disabled either in the browser settings or via noscript etc. The site owner could still track by generating a fake rollover image at GUID.NewGUID().com and reconcile through the backend what I scrolled to etc. I imagine similar could be done to regenerate deleted cookies based on a browser fingerprint generated fake Uri.

        That said, I don't have a fundamental problem with ubo providing users the option to whitelist specific report URIs or to even whitelist all same origin report URIs. It is problematic to generally assert that your service is fine because of your claimed privacy policy. That may be true (and fwiw I believe it to be true), but that is a point in time guarantee. There are plenty of examples of websites that were at one point highly trusted but over the years were sold to companies who sold to others and so on and today have quite ethically dubious practices. Look at other examples from plugins like adblock plus or wot which either changed how they operated or were less than upfront about it.

        I would actually prefer that a CSP violation be treated like a broken cert than a silent telemetry. If the browser did not render the page but instead showed the message "Warning: This website attempted to download a resource in violation of its content security policy." with buttons like Get me out of here, add exception logic and a report error checkbox. Maybe we'll get there in a few years once CSP story improves across the board. You may argue warning fatigue here. That is certainly something to consider but to my mind if your site is running a script or downloading another resource that you, the website author, didn't expect, there are larger problems.

        1. Anonymous Coward
          Anonymous Coward

          Re: disagree with Scott and Troy

          "1. The website has implemented it allowing only what is needed."

          Sorry, that's a fail right there. What websites need (money, views) and what I need (content) are two quite different things.

          Trusting a website to do the right thing is just misplaced trust: Not many of them will because money, incompetence or just 'not worth the effort'.

          CSP where I define what is allowed and what isn't, would be OK but .... oh ... we already have that, in uBlock/AdBlock/NoScript. Quite brutal way but it works.

          I can see the idea behind CSP but it always boils down to "we are dumping shit in your house but you need to tell us _other_ people doing the same thing without us knowing".

          Even the idea, at concept level, is a failure and there's nothing that can be done to fix it as long as it's the site owner (basically: money) who has the decision.

          We already know that typical attack vector is a bought ad in some popular site. Much, much easier than to hack in and does the job as well.

      3. eldakka Silver badge

        Re: disagree with Scott and Troy

        If the site has an XSS vulnerability then the report would inform the site owner who could take action to fix the underlying cause.

        I would expect a website owner to test their own site for XSS exploits before opening it to the public. Not to use their users as guinea-pigs - actually, canaries would be a better description.

        1. Kiwi Silver badge

          Re: disagree with Scott and Troy

          If the site has an XSS vulnerability then the report would inform the site owner who could take action to fix the underlying cause.

          I would expect a website owner to test their own site for XSS exploits before opening it to the public. Not to use their users as guinea-pigs - actually, canaries would be a better description.

          A 0day is found in Apache under Linux, allowing an attacker to modify the content of pages served by the site (or faulty cpanel or faulty wordpress or faulty FTP server etc etc etc etc).

          But hey, you don't need to worry about the content on the site changing, because the site's creator checked for XSS exploits before uploading. Having another mechanism to help secure sites/the data they send because the content creator already looked it over.

          (Given the large number of site makers who have little to no idea of anything technical, and create the sites with WYSIWYG tools, via various content managers etc.....)

      4. Anonymous Coward
        Anonymous Coward

        Re: disagree with Scott and Troy

        "I'm curious how your privacy is decreased by sending a CSP report, especially if that report is sent back to the same host."

        IP and user-agent versus everything javascript can collect about you and from your machine?

        I can see a huge difference. Because privacy breaching javascripts are and will be the first ones site owners allow.

        "... website owners to declare approved origins of content that browsers should be allowed to load ... "

        says the standard. That means website owner can allow whatever (ads, malware) they want without asking me.

        And no, that's exactly why script blockers are there, to stop site owners spying on me, directly or indirectly (via Google).

        1. Kiwi Silver badge

          Re: disagree with Scott and Troy

          "... website owners to declare approved origins of content that browsers should be allowed to load ... "

          says the standard. That means website owner can allow whatever (ads, malware) they want without asking me.

          The key you might've missed is basically every site creator/host already does this

          The point of CSP (at least as I understand it) is to say "the owner wants data coming from theirdomain.com and clodfool, anything else (eg google analtics or scummymalwaresite.com) is NOT ALLOWED. Thus if someone manages to change the content of the page to serve up some other stuff, well, the system tells your browser what is allowed, your browser sees what is offered is not on the OK list and stops loading it.

          ICBW of course.

          The content of the reports is another matter, but most of the data that is in them would, I assume, be available from logging - especially your IP, session cookies, pages visited etc (assuming that level of logging is turned on)

  13. Anonymous Coward
    Anonymous Coward

    Fie!

    I side with UBlock on this. The arguments in the article to the contrary are not only unconvincing, but a little bit infuriating. I installed UBlock for my purposes, not theirs.

  14. Anonymous Coward
    Anonymous Coward

    When there's doubt...

    There is no doubt: Fuck Google Analytics every time...

    1. BongoJoe

      Re: When there's doubt...

      On my sites I don't have GA installed at all and it's fun when I get asked by Advertising Fucktards for my stats and I send them something that approximates my wildest imagination.

      Oddly they can't get their heads the fact that most of my readers are seemingly from the Vatican City...

  15. emullinsabq
    Mushroom

    google

    I wrote a lengthy reply explaining this and then deleted it. It should be clear by now why ad and script blocking tools are growing in popularity. It's not my job to explain it to you. Fuck off.

  16. fung0

    No Thanks

    If I hadn't already been a fan of uBlock Origin, this article would have made me one.

  17. lvm

    Sorry, Mr. Leyden, but think before you post

    Why CSP is pretty much useless as security tool has been discussed in several comments, more importantly CSP can be used to track client-side script modifications and/or blocking - i.e. adblocking. If you installed adblocker you most probably would want to block CSP too, so the default uBlock behaviour is correct. Good job, uBlock!

  18. Bibbit

    With the greatest respect Mr Helme...

    F*ck off.

    This article only increase my respect for uBlock.

  19. Dwarf Silver badge

    No, just no.

    We are told (but don’t believe) that only a small percentage of people install blockers, so it follows that there will still be plenty of sheeple out there who’s browsers will report back to the provider.

    I see this as another telemetry mechanism, hence I I’ll block it, +1 for uBlock. I use it and it works very well.

    As For assuming you can use my pc for your sites monitoring - no, it’s mine, I decide what it does and when, not you. If you want to do some monitoring of your web site, go and spin up a monitoring server somewhere in the cloud and fill your boots, don’t try and freeload off my pc’s CPU cycles.

  20. Anonymous Coward
    Anonymous Coward

    I'm sorry but if you are too lazy to check your own website for XSS problems then I'm not going to do it for you by giving up my privacy. Sure it's a nice feature and it sounds useful but at the end of the day it's something you shouldn't need because you should have checked your site before it went live.

    Would I buy a guard dog off a burglar?

  21. Dark_Ronius

    It seems obvious to me that it's disabled by design. It's literally disabling something additional that isn't required to display the webpage. That, and those against CSP blocking seem to shoot themselves in the foot saying it's as simple and privacy invading as loading an image or text (in which case, why isn't this something which is obvious from other information derived from a visit?).

    Using any adblocker is a very clear, positive, action from a user to say "I don't want any additional shit run on my computer". Adblock Plus has been burnt since automatically enabling "some non-intrusive ads". Now personally I use that as an additional filter in uBlock, as I generally agree with it (I equally hate these uBlock nazis that tell people not to use it; my adblocker, my choice) but that should never have been an automatically assumed choice, but an optional action by the user. To allow CSP, while not on the scale of a mistake of automatically enabling non-intrusive ads, seems part and parcel of what a user is asking for when they install uBlock.

    1. Tinslave_the_Barelegged Silver badge

      > Using any adblocker is a very clear, positive, action from a user to say "I don't want any additional shit run on my computer".

      If there is a simplistic aspect to this issue, this is surely it. If I understand what Mr Helme means, he suggests that when CSP is enabled, the browser must accept what the website developer instructs it to accept, giving the example of an analytics tracker. UBO says it looks like one, smells like one, so it wont step in it. The balance of probability of clientside welfare does seem to rest on UBO's side. Or to put it another way, UBO exists because we have learnt that web services and developers cannot be fully trusted.

      1. Anonymous Coward
        Anonymous Coward

        "...UBO exists because we have learnt that web services and developers cannot be fully trusted."

        I'd like to put another way: They can be fully trusted to spy everything they can, in every opportunity. Just because of money and total disrespect of privacy.

  22. tiggity Silver badge

    clueless

    Helme: "I don't see how sending a CSP report to a reporting service is any more privacy violating than loading an image, script or stylesheet from a content delivery network"

    .. lots of people running blocking software are probably also blocking those CDN links too, and so not getting taht level of snoopy trackiness.

    When I visit a new (never visited before) site then essentially everything blocked - allow site HTML, CSS but little else, I then choose to enable stuff (or, if site will not even let me see content without enabling masses of JS I go away and find a different site with the info I was after).

    .. I even block all (that site originating) images initially (as limited bandwidth and some, non required images really take the mickey on size), and then set up a blacklist of any unwanted images.: I mainly browse for textual information, not the latest memes, cat pics or other imagery

    1. Anonymous Coward
      Anonymous Coward

      Re: clueless...

      The day someone exploits a companies CSP for the dark side, will also be the day that company tries to dodge responsibility with... "Please disable CSP temporarily".

      The dude on the offensive sounds like he is worried that his Dreaweaver sites might have Flash exploits not covered in his "Webpage Design for Dummies" book that he uses to suck out peoples privacy for G$$gle (to be fair, the book is the latest edition of 135 editions).

    2. emullinsabq
      Thumb Up

      Re: clueless

      "When I visit a new (never visited before) site then essentially everything blocked - allow site HTML, CSS but little else, I then choose to enable stuff (or, if site will not even let me see content without enabling masses of JS I go away and find a different site with the info I was after)."

      It is too bad the masses don't adopt this approach.

  23. David Roberts Silver badge

    May be missing something here

    But isn't the main problem that they chose Google Analytics as the reporting mechanism?

  24. Bob Doe

    Paul Moore should spend more time being a CISO @ Icebook and sorting their website faults, comes across as a whiny hanger-on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019