Ublock: CSP warning for injected GA script on steamcommunity

Created on 22 Mar 2017  路  2Comments  路  Source: gorhill/uBlock

Describe the issue

If i visit steamcommunity, i get CSP warnings in the console

One or more specific URLs where the issue occurs

https://steamcommunity.com/#scrollTop=5016

Steps for anyone to reproduce the issue

Visit https://steamcommunity.com/#scrollTop=5016
check the console
you will find

Content Security Policy: The settings of the page blocked loading the ressource on:
data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZS5jb20vYW5hbHl0aWNzL2Rldmd1aWRlcy9jb2xsZWN0aW9uL2FuYWx5dGljc2pzLwoJdmFyIG5vb3BmbiA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgbm9vcG51bGxmbiA9IGZ1bmN0aW9uKCkgewoJCXJldHVybiBudWxsOwoJfTsKCS8vCgl2YXIgVHJhY2tlciA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgcCA9IFRyYWNrZXIucHJvdG90eXBlOwoJcC5nZXQgPSBub29wZm47CglwLnNldCA9IG5vb3BmbjsKCXAuc2VuZCA9IG5vb3BmbjsKCS8vCgl2YXIgZ2FOYW1lID0gd2luZG93Lkdvb2dsZUFuYWx5dGljc09iamVjdCB8fCAnZ2EnOwoJdmFyIGdhID0gZnVuY3Rpb24oKSB7CgkJdmFyIGxlbiA9IGFyZ3VtZW50cy5sZW5ndGg7CgkJaWYgKCBsZW4gPT09IDAgKSB7CgkJCXJldHVybjsKCQl9CgkJdmFyIGYgPSBhcmd1bWVudHNbbGVuLTFdOwoJCWlmICggdHlwZW9mIGYgIT09ICdvYmplY3QnIHx8IGYgPT09IG51bGwgfHwgdHlwZW9mIGYuaGl0Q2FsbGJhY2sgIT09ICdmdW5jdGlvbicgKSB7CgkJCXJldHVybjsKCQl9CgkJdHJ5IHsKCQkJZi5oaXRDYWxsYmFjaygpOwoJCX0gY2F0Y2ggKGV4KSB7CgkJfQoJfTsKCWdhLmNyZWF0ZSA9IGZ1bmN0aW9uKCkgewoJCXJldHVybiBuZXcgVHJhY2tlcigpOwoJfTsKCWdhLmdldEJ5TmFtZSA9IG5vb3BudWxsZm47CglnYS5nZXRBbGwgPSBmdW5jdGlvbigpIHsKCQlyZXR1cm4gW107Cgl9OwoJZ2EucmVtb3ZlID0gbm9vcGZuOwoJd2luZG93W2dhTmFtZV0gPSBnYTsKfSkoKTs=
("script-src https://steamcommunity.com 'unsafe-inline' 'unsafe-eval' https://steamcommunity-a.akamaihd.net/ https://api.steampowered.com/ https://*.google-analytics.com https://www.google.com https://www.gstatic.com https://apis.google.com").

Decoding the base64 block reveals a GA script with a lot of "noops", so i assume it is the version that UBO is trying to inject.

Your settings

  • Browser/version: FF 51
  • uBlock Origin version: 1.11.4
Your filter lists

Default+ YT Annoyances & Fanboys Annoyance List

picture yoshimo

Most helpful comment

@gorhill , i don't think injected scripts from Extensions like UBO should trigger this warning.
It is an indicator that we are messing with the site first and isn't an error that can be fixed by the site owner if reported by the CSP policy second. We should avoid triggering such reports.

picture yoshimo on 31 Mar 2017
👍3

All 2 comments

The warning is normal if the site does not allow data: URI.

gorhill picture gorhill on 22 Mar 2017

@gorhill , i don't think injected scripts from Extensions like UBO should trigger this warning.
It is an indicator that we are messing with the site first and isn't an error that can be fixed by the site owner if reported by the CSP policy second. We should avoid triggering such reports.

yoshimo picture yoshimo on 31 Mar 2017
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pfofi picture pfofi  路  4Comments
splattadat picture splattadat  路  4Comments
thebigsmileXD picture thebigsmileXD  路  3Comments
Phlipout picture Phlipout  路  3Comments
Gitoffthelawn picture Gitoffthelawn  路  3Comments