Security vs. Privacy


#1

Hi, there is an security feature called Content-Security-Policy it is not directly SSL related but if can reveal
the usage of plugins like STYLISH or AD-Blocker. How ?
It tell the browser to send an report in the case of security violation to an selected url.
This contain script sample like “var FuckAdBlock = function () {\n …” or "var BlockAdBlock = function () {\n …"
Even it allow to detect if the page if loaded by an bot or via browser if the page contain an violation on purpose.

I think this is an new vector. Till now i already know to use SSL-Session, TLS-SessionTicket, Pinning(via Script) or
HSTS for tracking an user.


#2

I’m not quite sure I understand your post… (Partly, for me, because English isn’t your native language :stuck_out_tongue:) Do you have this from some kind of blog post? Perhaps you could share the URL?


#3

Hi, sorry i found this by my own. It started when i try to reach A+ on the “https://observatory.mozilla.org/” rating page.
One part of the rating is the Header Content-Security-Policy after disallow unsecure inline for style and script i received csp reports. CSP-Reports send by the browser if the page violates the policy.
For my page i have the rule:

content-security-policy: upgrade-insecure-requests; default-src https:; script-src ‘self’; style-src ‘self’; object-src ‘self’; frame-ancestors ‘self’; report-uri https://suche.org/csp.report

Now Adblock or stylish modify the page and inject style rules or script code into the html page so that ads and unwanted elements should be changed. But this violates the policy delivered by the http-header.
Now the browser send an report to the given report-url with an report what was violated. For example:

{“csp-report”:{“blocked-uri”:“self”,“document-uri”:“https://suche.org/page/letsEncryptServlet",“line-number”:1,“original-policy”:"upgrade-insecure-requests; default-src https:; script-src https://suche.org; style-src https://suche.org; object-src https://suche.org; frame-ancestors https://suche.org; report-uri https://suche.org/csp.report",“referrer”:“https://suche.org/”,“script-sample”:"var FuckAdBlock = function () {\n …”,“source-file”:“https://suche.org/page/letsEncryptServlet",“violated-directive”:"script-src https://suche.org”}}


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.