Causes CSP warnings resulting in disabled Canvas tracker detection

[rugk]

E.g. caused on GitHub.com

Reproduce:

0. Do not leave this site. :wink: You can simply do it here.
1. Open the developer console of Firefox (F12)

What happens: You see an warning that the script-src directive is violated. What should happen: No warning, please... It's not bad but it would be nice if your add-on would be CSP-compliant.

Background info: GitHub sets the following javascript CSP: script-src https://assets-cdn.github.com https://collector-cdn.github.com And as this does not contain 'self' it prohibits the load of javascripts from github.com. And it seems that Privacy Badger injects javascript into the current side, so that the CSP blocks it.

[SwartzCr]

this might have to do with the canvas fingerprinting code @ghostwords wrote?

[cooperq]

Interesting, I do not get the CSP warning at all. But it also seems like it would only very rarely be the case that a site does not allow itself to run javascript. I don't even know how we can check that programatically.

[rugk]

But it also seems like it would only very rarely be the case that a site does not allow itself to run javascript.

Yes this is rarely as most sites allow it, but that does not help if one site does not allow it.

I don't even know how we can check that programatically.

If you can somehow read the headers sent by the website... But why check it at all? I would rather move the javascript which is included there somehow out of the scope of the CSP or something like this - I mean there are plenty of other extensions which use javascript but do not inject it into the site in such a way that it causes CSP warnings. (at least as far as I know)

[cooperq]

Yes but we inject javascript into the site to do things like cookie blocking and fingerprint and supercookie detection. So we have a good reason for it.

[rugk]

I doubt that it is needed for everything you listed. And yes of course you have a good reason, but it's also nice if add-ons are CSP-compliant. Because CSP also has a report-uri directive which allows web admins to get reports of every violation of this CSP. And there are already enough add-ons which violate this and cause unnecessary reports. Don't let Privacy Badger be one of these too.

[Bernhard---H]

I encountered the same problem with CSP and Privacy Badger on my website. My CSP looks like this: script-src 'self' Any errors seem to disappear if I add 'unsafe-inline' to script-src.

I didn’t test it, but this might also be a workaround for trackers to (partially) disable Privacy Badger :anguished:

[rugk]

My CSP looks like this: script-src 'self' Any errors seem to disappear if I add 'unsafe-inline' to script-src.

In this case that's different from the one at GitHub, because here the missing self is causing the errors. However are you sure that 'unsafe-inline' in the script-src is causing this? As on GitHub there is also no 'unsafe-inline' for script-src (only for style-src) and Firefox does not show any errors about this.

I didn’t test it, but this might also be a workaround for trackers to (partially) disable Privacy Badger :anguished:

Ehm, how? Do you mean trackers could maybe modify the JS after Privacy Badger injected it?

[Bernhard---H]

Yes I’m sure. I do get the exact same error message in the console as on GitHub:

Content Security Policy: The page's settings blocked the loading of a resource at self

I even tried the GitHub-CSP on a plain html page and the error disappeared as soon as I added 'unsafe-inline' to the script-src.

Do you mean trackers could maybe modify the JS after Privacy Badger injected it?

The injected JS must obviously be good for something. So what I meant is, if a website owner doesn’t like the idea of Privacy Badger blocking stuff, the website could disable inline JS and interfere with the add-on or maybe even disable important parts.

[cooperq]

oh, interesting point, I think that the attack @Bernhard---H describes could actually prevent some types of heuristic detection and javascript cookie blocking. Right now I inject inline scripts into the page to do those things (which is what is causing the CSP warning). I wonder if there is a way we can prevent this from happening?

[ghostwords]

This seems like a difference in behavior between Chrome and Firefox.

In Chrome, fingerprinting.js gets injected according to manifest.json.

In Firefox, fingerprinting.js gets injected using pageMod in main.js.

In Chrome, scripts dynamically created by an extension's content script belong to that extension's ID, judging by the Sources tab of Dev Tools (and the absence of CSP warnings).

[rugk]

Just BTW:

if a website owner doesn’t like the idea of Privacy Badger blocking stuff, the website could disable inline JS

There must not even be such bad intention behind this. Disabling inline-JS is a thing very much suggested when setting up a CSP (which can do so), so it is not only that there are CSP warnings, but obviously this also disables the Canvas tracker identification on all sites which are so security-aware and use CSP in such a way.