It is 100% clear to me that differences of opinion will result in drawing the line on an ad blocker's default configuration in different places.
Would you mind sharing how long your browser was sending CSP reports to 3rd parties before you knew about it? I personally was unaware [edit]this could happen to me in Chrome with uBlock Origin installed[/edit] until this issue came up, and a free pass through ad blockers to a 3rd party seems like an advertising/tracking company's dream come true.
> JavaScript CDNs to images. No one is suggesting these should be blocked, right?
Many of these [edit](specifically: tracking pixels and just straight up ad images)[/edit] are blocked by ad blockers in the default configuration.
> The Tor-captcha-thing was about leaking the origin IP of the Hidden Service, so I don't see how it's similar.
Thank you for the correction. I apparently imagined this referenced when partial VPN or Tor is insecurely used only to access specific domains, or DNS is not also routed through.
> Would you mind sharing how long your browser was sending CSP reports to 3rd parties before you knew about it?
I'm not sure what you're asking - when did I become aware of this possibility? I guess when I learned about CSP?
> I personally was unaware this was possible until this issue came up, and a free pass through ad blockers to a 3rd party seems like an advertising/tracking company's dream come true.
Adblockers block requests to things like Google Analytics by matching the domain (and other patterns). Why is this not an acceptable solution for CSP? If tracking tools start using CSP for this, they'll be added to the filter lists, just like any other tracking script. We're not asking uBlock to block all third-party requests on the off-chance it might be an ad or tracking service, so why would we do that for CSP?
> Many of these are blocked by ad blockers in the default configuration.
Do you have a source for this? This would break a large number of sites. uBlock seems to have an experimental feature that mirrors certain popular CDN URLs locally, but it doesn't seem to be enabled by default and the Wiki page hasn't been updated in over two years. AIUI, even with this feature enabled, requests to non-popular (non-local) assets would still go through.
> Why is this not an acceptable solution for CSP? If tracking tools start using CSP for this, they'll be added to the filter lists, just like any other tracking script. We're not asking uBlock to block all third-party requests on the off-chance it might be an ad or tracking service
This is a good question! When a new technology arrives that allows tracking, I prefer uBlock default to blocking it. Advertising/tracking companies pursue the bleeding edge in their cat & mouse game; this way the barn door is closed before the horse leaves (two too many animal analogies?). I do understand that others will pursue a different choice, and encourage disclosure by those doing so because money is on the line.
The discussion regarding CSP has resulted in a change in uBlock's default behavior which I will take into consideration the next time I re-evaluate which ad blocker to use.
PS. In case it's not clear, I originally commented: >Personally I would prefer only same-origin reports.
PPS. This is a much jucier target assuming it works when JavaScript is disabled.
Would you mind sharing how long your browser was sending CSP reports to 3rd parties before you knew about it? I personally was unaware [edit]this could happen to me in Chrome with uBlock Origin installed[/edit] until this issue came up, and a free pass through ad blockers to a 3rd party seems like an advertising/tracking company's dream come true.
> JavaScript CDNs to images. No one is suggesting these should be blocked, right?
Many of these [edit](specifically: tracking pixels and just straight up ad images)[/edit] are blocked by ad blockers in the default configuration.
> The Tor-captcha-thing was about leaking the origin IP of the Hidden Service, so I don't see how it's similar.
Thank you for the correction. I apparently imagined this referenced when partial VPN or Tor is insecurely used only to access specific domains, or DNS is not also routed through.
[edit] updated with a bit more detail