Most active commenters
  • davidmurdoch(6)
  • gear54rus(4)
  • pama(3)

←back to thread

Hardening the Firefox Front End with Content Security Policies

(attackanddefense.dev)
182 points evilpie | 21 comments | 09 Apr 25 09:34 UTC | HN request time: 1.324s | source | bottom
1. davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]
Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #
2. Semaphor ◴[09 Apr 25 10:58 UTC] No.43630784[source]
Having fewer permissions for extensions than one might want seems fairly less important to making the browser more secure…
replies(2): >>43631143 #>>43641315 #
3. pama ◴[09 Apr 25 10:59 UTC] No.43630796[source]
Wouldn’t fixing this bug reduce security?
replies(2): >>43630891 #>>43631166 #
4. shakna ◴[09 Apr 25 11:14 UTC] No.43630891[source]
If you are using filter scripts, to block specific domains or script payloads, that extension can't load on a properly secured CSP page. And that page may be using CSP to protect throwing up ads... Or malware.
replies(1): >>43633800 #
5. gear54rus ◴[09 Apr 25 11:24 UTC] No.43630948[source]
One of the possible workarounds would be to just remove the damn header before it causes any further inconvenience. I think they do allow `webRequest` API usage in the store, don't they?
replies(2): >>43630991 #>>43631303 #
6. evilpie ◴[09 Apr 25 11:30 UTC] No.43630984[source]
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...

replies(2): >>43631179 #>>43631287 #
7. evilpie ◴[09 Apr 25 11:31 UTC] No.43630991[source]
Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

https://extensionworkshop.com/documentation/publish/add-on-p...

replies(1): >>43631001 #
8. gear54rus ◴[09 Apr 25 11:34 UTC] No.43631001{3}[source]
I don't think this is being enforced in practice, thankfully.
replies(1): >>43631306 #
9. joshuaissac ◴[09 Apr 25 12:00 UTC] No.43631143[source]
Arguably, it can make it less secure by reducing the user's control over what content the browser loads or what scripts it executes. For example, users may be using extensions to selectively replace harmful content (like intrusive JavaScript, tracking) with benign content. It is a balance between security for the user and security for the website owner.
replies(2): >>43631244 #>>43633386 #
10. davidmurdoch ◴[09 Apr 25 12:04 UTC] No.43631166[source]
No, it's explained more in the issue. An extension is a part of the "User Agent". The CSP header in FF is almost seemingly arbitrarily applied to extensions.
replies(1): >>43633794 #
11. KwanEsq ◴[09 Apr 25 12:06 UTC] No.43631179[source]
And it's worth noting that since your comment later in that thread about sandbox being an issue, that's been fixed too as of Firefox 128: https://bugzilla.mozilla.org/show_bug.cgi?id=1411641
12. gear54rus ◴[09 Apr 25 12:19 UTC] No.43631244{3}[source]
Exactly. It's been clearly established that web extensions' code is more priveleged than a page code, as it should be. The amount of people going 'muh sesoority' in this thread is baffling.
13. davidmurdoch ◴[09 Apr 25 12:25 UTC] No.43631287[source]
Thanks for this! I'll look into implementing it soon.
14. davidmurdoch ◴[09 Apr 25 12:28 UTC] No.43631303[source]
We modified the CSP to inject a per user generated nonce that exempts it script from the policy.

They said this was not allowed and removed it from the extension store.

15. davidmurdoch ◴[09 Apr 25 12:29 UTC] No.43631306{4}[source]
It is. It happened to us a few weeks ago.
replies(1): >>43631428 #
16. gear54rus ◴[09 Apr 25 12:45 UTC] No.43631428{5}[source]
That's crazy. Did it happen to a public extension or an unlisted one?
replies(1): >>43631459 #
17. davidmurdoch ◴[09 Apr 25 12:47 UTC] No.43631459{6}[source]
Public, with about half a million installations.

I think it was noticed only because this version had a major bug that broke a bunch of websites.

18. pessimizer ◴[09 Apr 25 15:42 UTC] No.43633386{3}[source]
> It is a balance between security for the user and security for the website owner.

Which in the case of browsers should always be decided for the user, rather than balanced. The browser is a user agent. It is running on the user's hardware.

19. pama ◴[09 Apr 25 16:17 UTC] No.43633794{3}[source]
Thanks!
20. pama ◴[09 Apr 25 16:18 UTC] No.43633800{3}[source]
Thanks.
21. raxxorraxor ◴[10 Apr 25 06:46 UTC] No.43641315[source]
In the current browser landscape I would think not. Firefox is no less secure than Chrome or Safari and both are subject to economic incentives. You could even argue these issues negatively relate to security as well.