diff --git a/Per-site-switches.md b/Per-site-switches.md index a4501d0..9a80ffd 100644 --- a/Per-site-switches.md +++ b/Per-site-switches.md @@ -10,6 +10,7 @@ The per-site switches allows you to control uBlock's behavior on a per-site basi - [No large media elements](#no-large-media-elements) - [No cosmetic filtering](#no-cosmetic-filtering) - [No remote fonts](#no-remote-fonts) +- [No CSP reports](#no-csp-reports) *** @@ -101,4 +102,26 @@ Because of security and privacy concerns, many prefer to block all web fonts by This will block all web fonts everywhere by default, and in this case you can toggle off the switch to allow web fonts on a per-site basis. -**Caveat for Chromium-based browsers:** Chromium's webRequest API [does not specifically report requests of type `font`](https://developer.chrome.com/extensions/webRequest#type-ResourceType), fonts are reported as type `other`. Whether a request is for a font resource is inferred by uBlock using the "extension" of the path part of a URL. However a URL can be anything really, regardless of request type, so for Chromium-based browsers, uBlock **may** have to block a font **after** the request is made, when the response headers are received from the remote server -- as the response headers allow to identify for sure the type of a resource. \ No newline at end of file +*** + +## No CSP reports + +You can block network requests made as a result of your browser reporting Content Security Policy violations ("CSP reports") to a remote server (which can be 3rd-party to the site where the violation occurred). + +Consider this excerpt from [Reporting API / Privacy Considerations](http://wicg.github.io/reporting/#privacy) (my emphasis): + +> 8.6. Disabling Reporting +> +> [...] +> +> That said, it can’t be the case that this general benefit be allowed to take priority over the ability of a user to individually opt-out of such a system. Sending reports costs bandwidth, and potentially could reveal some small amount of additional information above and beyond what a website can obtain in-band ([NETWORK-ERROR-LOGGING], for instance). **User agents MUST allow users to disable reporting with some reasonable amount of granularity in order to maintain the priority of constituencies espoused in [HTML-DESIGN-PRINCIPLES].** + +There is currently no way to easily toggle CSP reporting in either Chromium of Firefox. This per-site switch is to address this shortcoming. + +Note that this switch is not currently available in the popup panel. However it is available as a global setting in the _Settings_ pane in uBO's dashboard, so that you can easily disable/enable CSP reporting globally. + +More advanced users can use the usual per-site switch syntax to more narrowly control the enabling/disabling of CSP report-related network requests: + + no-csp-reports: example.com true + +Note that as opposed to all other network requests, behind-the-scene network requests which are actual CSP report will also be filtered out according to `no-csp-reports` switch. So if you globally disable CSP reporting in uBO, this will also apply to behind-the-scene network requests. \ No newline at end of file