(attackanddefense.dev)

182 points evilpie | 5 comments | 09 Apr 25 09:34 UTC | HN request time: 0s | source

Show context

davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]▶

>>43630388 (OP) #

Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #

gear54rus ◴[09 Apr 25 11:24 UTC] No.43630948[source]▶

>>43630753 #

One of the possible workarounds would be to just remove the damn header before it causes any further inconvenience. I think they do allow `webRequest` API usage in the store, don't they?

replies(2): >>43630991 #>>43631303 #

1. evilpie ◴[09 Apr 25 11:31 UTC] No.43630991[source]▶

>>43630948 #

Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

https://extensionworkshop.com/documentation/publish/add-on-p...

replies(1): >>43631001 #

2. gear54rus ◴[09 Apr 25 11:34 UTC] No.43631001[source]▶

>>43630991 (TP) #

I don't think this is being enforced in practice, thankfully.

replies(1): >>43631306 #

3. davidmurdoch ◴[09 Apr 25 12:29 UTC] No.43631306[source]▶

>>43631001 #

It is. It happened to us a few weeks ago.

replies(1): >>43631428 #

4. gear54rus ◴[09 Apr 25 12:45 UTC] No.43631428{3}[source]▶

>>43631306 #

That's crazy. Did it happen to a public extension or an unlisted one?

replies(1): >>43631459 #

5. davidmurdoch ◴[09 Apr 25 12:47 UTC] No.43631459{4}[source]▶

>>43631428 #

Public, with about half a million installations.

I think it was noticed only because this version had a major bug that broke a bunch of websites.

↑

Hardening the Firefox Front End with Content Security Policies