Browser extensions are installed by the user so the user should be able to do what they want with the contents of the resources they download. Users want to block ads, block Javascript -- that's fine; it's their prerogative.<p>But I noticed recently that EasyList has blocked all inline JavaScript for my website. They force the following Content-Security-Policy (CSP) directive on all pages of my site: "script-src 'self' * blob: data:"<p>This breaks the site in many different ways. e.g. Articles embed YouTube videos, which are loaded via inline Javascript. Users install Adblock to block ads. But ad blockers are now breaking the site functionality, which isn't fair. So I did some digging around how this works.<p>You might think you can use <noscript> tags to warn users who have Javascript turned off that they are missing some functionality. But we do that already. The problem is that when a browser extension overrides the CSP to block inline Javascript only, the noscript warnings don't appear. Because as far as the browser is concerned, JS is allowed.<p>What's worse, if you have a more restrictive CSP directive like script-src sub.mytrusteddomain.com, EasyList still forces their version (script-src 'self' * blob: data:) on to the page. This is a clear loss for security. And 99.999% of the users won't realize their ad blocker is doing this.<p>Please avoid soapbox comments on how ads are evil. This question is not about adblocking. It is specifically about messing with the CSP directives and blocking inline Javascript.