You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser
I checked the documentation to understand that the issue I report is not a normal behavior
I tried to reproduce the issue when...
uBO is the only extension
uBO with default lists/settings
using a new, unmodified browser profile
Description
uBlock origin allows you to redirect to it's Chrome URL from certain sites such as Github. It's also possible to inject a JavaScript URL but CSP inside the extension prevents exploitation. This also works for redirecting to other uBlock locations within the extension.
Prerequisites
I tried to reproduce the issue when...
Description
uBlock origin allows you to redirect to it's Chrome URL from certain sites such as Github. It's also possible to inject a JavaScript URL but CSP inside the extension prevents exploitation. This also works for redirecting to other uBlock locations within the extension.
https://subscribe.adblockplus.org/?location=javascript:alert(1)&title=EasyList
You can redirect to any other URL within the extension too:
https://subscribe.adblockplus.org/?location=dashboard.html%23about.html&title=EasyList
A specific URL where the issue occurs
https:
Steps to Reproduce
Expected behavior
JavaScript URLs should not be allowed.
Actual behavior
JavaScript URL is allowed and a CSP violation occurs.
uBlock Origin version
1.38.6
Browser name and version
Chrome 95.0.4638.69
Operating System and version
MacOS 10.15.7
The text was updated successfully, but these errors were encountered: