Recently I updated the setup on my personal blog. I enabled Content-Security-Protection, and setup the report-uri (so that I would get notification of some of the blocked content).
My expectation is this would be empty. After all, my blog doesn’t host advertising or user-generated content. But to my surprise, I saw some blocked notifications for rasenalong>dot>com (purposely not made a link here). Huh? What is that? Let’s dig in.
After some research I find that some users are getting ads and other scummy content injected on my site. I purposely don’t place ads on it, I don’t want someone else’s message showing up. How could this be? What might those ads say?
It turns out these users have a piece of malware called ‘LNKR‘. It was injecting JavaScript into my served page and then placing ads and tracking my users.
I am appalled. My new changes mean that the users browser will block content that gets injected. So no more ads for me, showing who knows what.
If you have not enabled Content-Security-Policy, or if you just want to check your site, head on over to observatory.mozilla.org. Its 1-minute, its free, its great.
I’ve done a short video to talk about this, feel free to watch and subscribe.