(attackanddefense.dev)

182 points evilpie | 2 comments | 09 Apr 25 09:34 UTC | HN request time: 0.457s | source

Show context

davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]▶

>>43630388 (OP) #

Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #

pama ◴[09 Apr 25 10:59 UTC] No.43630796[source]▶

>>43630753 #

Wouldn’t fixing this bug reduce security?

replies(2): >>43630891 #>>43631166 #

1. davidmurdoch ◴[09 Apr 25 12:04 UTC] No.43631166[source]▶

>>43630796 #

No, it's explained more in the issue. An extension is a part of the "User Agent". The CSP header in FF is almost seemingly arbitrarily applied to extensions.

replies(1): >>43633794 #

2. pama ◴[09 Apr 25 16:17 UTC] No.43633794[source]▶

>>43631166 (TP) #

Thanks!

↑

Hardening the Firefox Front End with Content Security Policies