Ublock: Some privacy settings grayed out
Describe the issue
From the privacy settings only "Block CSP reports" is not grayed out. Is this expected? How can I switch the grayed out options? (In particular "Prevent WebRTC from leaking local IP addresses".)
One or more specific URLs where the issue occurs
Screenshot in which the issue can be seen
Steps for anyone to reproduce the issue
Your settings
- OS/version: 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux
- Browser/version: Firefox 52.7.2 (64-bit)
- uBlock Origin version: 1.15.18
Your filter lists
Your custom filters (if any)
ghost
All 6 comments
Hello,
Content Security Protocol reporting is toggled off by default, this is intended, this is for advanced users only because you need to understand what CSP does as it can greatly help website developers and thus the internet ecology as a whole. However there are 2 sides to the coin of CSP.
CSP allows websites to set 'trusted sources' mostly URLs to load Javascripts on their website, this is suppose to prevent cross site scripting attacks. A widely known XSS attack that was very common in the early 2000s was that when you went to your bank website while you had a specific other websites open these websites would load a false 'frame' on top of your bank login site. You would think you were logging into your bank account but in actuality you were handing over your information to the XSS attacker who then logged into your bank account instead.
Leaving the feature off by default is recommended for none advanced users.
In 2015 over 90%~ of the top 1000 sites use the code 'unsafe-inline' in their CSP this means those website owners are clueless and allow tertiary people to inject javascript within their CSP and use it to initiate a MITM/XSS attacks. Thus CSP is largely ineffective against XSS due to cluelessness of website operators, however Banks in the overwhelming majority in part due to their mass fraud payments have listened and learned and have a correct OCSP.
More info:
https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#block-csp-reports
https://www.ghacks.net/2017/10/19/ublock-criticized-for-blocking-csp/
OpenBSD-Neurotik
on 22 Mar 2018
@OpenBSD-Neurotik Thanks for your reaction. I didn't ask my question well and have updated it. I'm more about why the other ones are grayed out and how can I unblock them?
ghost
on 22 Mar 2018
Because it's not supported in your setup.
gwarser
on 22 Mar 2018
I thought this should be allowed, as per this wiki: https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address
ghost
on 22 Mar 2018
Leaving the feature off by default is recommended for none advanced users.
This is absolutely wrong and this needs correction: nowhere do I ever say this.
Again a case of confusion between "CSP" and "CSP _report_". uBO never touches sites' CSP if any. The setting concerns only CSP reports.
gorhill
on 22 Mar 2018
Seems similar to this issue #2806.
The pushed out 1.14.0 on Firefox ESR isn't webext compatible
- As per popular demand, I set the minimum version to 52.0. However be warned that some features are not available, like the privacy settings for example.
With Firefox 52 specifically, some features in uBO/webext may be disabled.
Is that Firefox ESR (legacy)? If so, please use the legacy version (v1.13.8) and disable the auto-update for uBO.
Blutgang
on 23 Mar 2018
Related issues
Phlipout
路
3Comments
gorhill
路
3Comments
KonoromiHimaries
路
3Comments
RoxKilly
路
4Comments
GitHubBlow
路
4Comments