CSP used for spying on blocked domains(?)

[moonbat]

chrome: is not a content environment.

Indeed, while I was learning to create extensions and going through the older docs, I was struck how elegant the chrome vs content separation is if you follow the coding guidelines. So an extension can both extend the UI with a menu or dialog and manipulate a webpage but the webpage content can't access scripts running in the chrome context. Imagine Mozilla ditching this for WE

[Kris_88]

be exposed to and subject to content rules (the "C" in CSP). CSP will, by design, apply to anything running in content, including injected scripting running in content (which is why bookmarklets are affected by some CSPs).

Bug 866522 Opened 11 years ago Updated 2 months ago
Bookmarklets affected by CSP
https://bugzilla.mozilla.org/show_bug.cgi?id=866522

NedB
Comment 20 • 11 years ago
There is a lot of talk here about a simple thing:
A.) The spec says that bookmarklets should not be affected.
B.) A bookmarklet is a type of addon. Website owners should not be able to prevent users from using addons.
C.) Any talk about social engineering attacks are equally applicable to addons. There has to be a limit to how far you will go to stop stupidity. See point B.
As to whether or not a bookmarklet should be able to add external JS to the DOM even when CSP would otherwise prevent it, I think yes, if reasonably practical. But I can easily understand why that may be complex.

Again, it comes down to the right of a user to control the browser. If the user wishes to run an addon that will add a script, then the website owner should not have the ability to stop that. CSP is about website owners making a choice to stop 3rd parties from exploiting holes, not about website owners stopping users from doing what they want.

https://www.w3.org/TR/CSP/#extensions

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].

Moreover, applying CSP to these kinds of features produces a substantial amount of noise in violation reports, significantly reducing their value to developers.

Chrome, for example, excludes the chrome-extension: scheme from CSP checks, and does some work to ensure that extension-driven injections are allowed, regardless of a page’s policy.

[back2themoon]

And it's enabled by default on Firefox because of scripts from extensions being able to trigger CSP violations...

I know uBO Legacy is a bit left behind, but "Block CSP reports" is disabled by default in "our" version.

I vote against adding this as an extra pref.

[Moonchild]

A bookmarklet is a type of addon

No, it is not. A bookmarklet is more akin to a user script.

I'm pretty sure I looked at this bz bug before though - not entirely sure what happened to it. I do distinctly recall looking at the code change made in bug #1478037 which is a more narrowly tailered version of that but that never landed in our tree, apparently. Probably slipped under the radar. patches welcome for that one (make an issue if so, please)

[gepus]

I know uBO Legacy is a bit left behind, but "Block CSP reports" is disabled by default in "our" version.

I vote against adding this as an extra pref.

A bit too late for voting. The pref was added long time before.

[Moonchild]

A bit too late for voting. The pref was added long time before.

I'm pretty sure it was meant to vote against adding the pref in UXP, because it's already supplied in an extension if people do want that feature.

[back2themoon]

A bit too late for voting. The pref was added long time before.

See above. I was obviously -hopefully- talking about the current CSP / Pale Moon request.

[athenian200]

A bit too late for voting. The pref was added long time before.

See above. I was obviously -hopefully- talking about the current CSP / Pale Moon request.

Same here. I would like to clarify that I wasn't advocating for removing the existing pref. That one is fine because it doesn't falsely advertise that we support CSP and then violate the spec, it just turns CSP completely off and makes that clear.

Besides, if uBO can do this on a per-site basis as an extension, then there's definitely no need for us to imply endorsement for this use case by including it in the browser out of the box. I mean, we don't include ad blockers in the browser either, but people can install them. By default, we show you the ads and run all the scripts. You have to install an extension if you want different behavior. I think that's pretty well in line with how we've always done things.

[Kris_88]

I vote for adding as many different preferences as possible. But at the same time set the correct defaults.
There are already enough programs in which nothing can be configured. There's no point in creating another one.

[Moonchild]

We have extensions for a reason, Kris. Your ability to configure Pale Moon is pretty much limitless through them.

[Kris_88]

We have extensions for a reason, Kris. Your ability to configure Pale Moon is pretty much limitless through them.

Extensions are certainly good...
However, there are situations where adding a preference costs only a couple of lines of code in the browser, but several kilobytes in the form of an extension. It's not effective. I don't want to clutter my profile and a browser with extensions. I think extensions make sense when you need to add new functionality that is completely missing in the browser. And what costs a couple of lines of code needs to be built in.
But this is just an opinion, and I do not insist. I'm just saying...

[back2themoon]

There are already enough programs in which nothing can be configured. There's no point in creating another one.

That sounds unfair. Surely you can't call PM a program where "nothing can be configured"? Just to save "several kilobytes of extension clutter" and for not adding a somewhat esoteric option?

edit: Well, if not adding this would make some of the more advanced users here unhappy (and Kris_88 is certainly advanced and very helpful) I'd change my "vote" and say go for it then.

Hopefully it is a simple matter of "a couple of lines of code" to have this added as a non-default advanced pref.

[athenian200]

Extensions are certainly good...
However, there are situations where adding a preference costs only a couple of lines of code in the browser, but several kilobytes in the form of an extension. It's not effective. I don't want to clutter my profile and a browser with extensions. I think extensions make sense when you need to add new functionality that is completely missing in the browser. And what costs a couple of lines of code needs to be built in.
But this is just an opinion, and I do not insist. I'm just saying...

I do get where you're coming from with this, as I don't install many extensions myself and prefer to keep the browser as stock as possible. The whole "your browser, your way" thing is mostly in reference to the fact that you can modify the browser with extensions. However, there is a trade-off to that. The very fact that the browser is so extensible can mean that the developers are less interested in putting work into the UI, and more likely to tell you that you need to find or write an extension that does what you need.

I think the natural price of having such a customizable browser, is that it does create a climate where users are expected to install extensions to modify behavior rather than getting something polished that "just works" out of the box with plenty of configuration options, It's that old open source spirit, the one that expects that if you want freedom, you have to work for it and put in the research and tweaking... like back when I used Linux in the early 2000s and had to compile my own kernel to get my system working how I wanted.

I think our philosophy is a bit like that... we won't give you the most polished experience out of the box (although I personally think our OOBE is much better than the Firefox we forked from), but we are offering you the opportunity to build the experience you want by searching through extensions others have made, and possibly even learning to make or modify extensions yourself where possible to get what you want. "Your browser, your way" doesn't mean "Your wish is our command, "or "The customer is always right," but rather it means, "You have the opportunity to extend and modify the browser yourself, and if you put in the work hunting down extensions or writing your own, you can get what you want." What I think really angered people here about Mozilla enough to start the project, isn't that they didn't give us exactly what we wanted, but rather that they took a lot of the extensibility away, and instead made everyone more dependent on what they provide out of the box, which pleases most people but doesn't work for everyone.

While we won't take away your freedom to extend the browser in any way you see fit, we also won't accept an obligation to implement user requests. This isn't a positive freedom where we guarantee you rights that we will go out of our way to uphold, it's old-school negative freedom where you are left to fend for yourself and figure things out without interference. You have to put in a bit of work to have it YOUR way, but the freedom to have it your way is in fact there, should you choose to put in some effort and take advantage of that. This community wasn't really built for "normal" users... the greater your ability to understand and write code, the more freedom you get. The less you understand your computer, the more you rely on the defaults... and thus are probably better served with Chrome or Firefox, because they are already taking care of those users and their needs for the most part.

That sounds unfair. Surely you can't call PM a program where "nothing can be configured"? Just to save "several kilobytes of extension clutter" and for not adding a somewhat esoteric option?

I agree that it sounds unfair. Honestly I'm wondering if I've blown this whole argument out of proportion... it hardly matters what we do at this point anyway, since the extension already does most of the damage I was afraid the pref would do anyway. Probably nothing would be hurt by giving Kris what he wants that wasn't already hurt by uBO implementing this. A lot of our users have it installed anyway. I guess I just don't want this to become a precedent, and feel like some of the reasoning is a bit unfair, more than I care about the actual feature one way or another at this point. We started off talking about CSP, and ended up talking what the ideal of user freedom means and whether we're living up to it.

[Moonchild]

Issue #2405 (UXP)

[athenian200]

Yeah, I think back2themoon made an important point. The cost of alienating an advanced user who feels strongly about this and is willing to help people would be quite high, especially given that not having the pref wouldn't stop users from doing it anyway. The argument became totally academic/philosophical once it was pointed out uBO could already do it.

While I do not think we should have to bend the knee like this to prove our goodwill, the fact is in this case it literally requires less typing to implement the feature than to keep arguing. That this is being done over our objections and against spec has been duly noted, and the feature is on track for the next release.

[Kris_88]

Thanks guys.

It turns out that I put pressure on you, although I had no such intention.
Sorry.

And, yes, you do not need to prove your good will. The very fact that you are doing this project is the best proof.

What I'm trying to convince you of is really in the realm of philosophy... this is not a requirement or a whim of the user on my part, like "give me what I want". And to be honest, sometimes I’m surprised that it takes convincing at all...

[athenian200]

Thanks guys.

It turns out that I put pressure on you, although I had no such intention.
Sorry.

And, yes, you do not need to prove your good will. The very fact that you are doing this project is the best proof.

What I'm trying to convince you of is really in the realm of philosophy... this is not a requirement or a whim of the user on my part, like "give me what I want". And to be honest, sometimes I’m surprised that it takes convincing at all...

Yeah, I'm sorry I got so argumentative about the whole thing. It's all good.

I suppose the whole "disabling CSP reporting without disabling CSP" thing just seemed like a very dangerous thing at first that could negatively impact Pale Moon's trust rating with other websites, and we're already kinda struggling with that (SmartScreen and banking websites), so I was a bit upset that a user was requesting a feature that, in my mind, would make that problem even worse. That was my original reason for not wanting to do it.

But as the discussion went on and we learned uBO has already been doing it, and that Firefox got away with it in later versions, it became less of a practical objection. By the end, I realized I was having this argument and potentially alienating a helpful user, with the only possible "gain" if I "win" being that users have to use a sketchy add-on that is rarely updated anyway to do something in a clunky way via JS, rather than have the feature done better in C++ with a couple lines of code. And... that just really isn't a goal worth fighting for. At least with our pref, users know the behavior could cause problems. With uBO, they might just see it and think it's a "cool privacy feature," rather than an option of last resort to be used only if you are sure of what you're doing. Sure, they'll still have access to uBO, because we believe people have the right to install any extension they want pretty much, but they'll now have one less incentive to download it, which is perhaps for the best given that it has a penchant for making the browser behave in ways we didn't intend/anticipate regarding very security-sensitive stuff...

[pale guru]

Btw, https://www.dhl.de/de/privatkunden.html causes Pale Moon to say:
Content Security Policy: Couldn’t process unknown directive ‘script-src-elem’ 1 (unknown)

The element is used as
script-src-elem 'self' 'unsafe-eval' 'unsafe-inline'

Is this script-src-elem not yet implemented in Pale Moon, or is it incorrectly implemented by the web site?

[RealityRipple]

Part of CSP3, which is only implemented in Chrome. Hopefully they're using a similar script-src fallback.