←back to thread

Hardening the Firefox Front End with Content Security Policies

(attackanddefense.dev)
182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0.292s | source
Show context
davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]
Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #
evilpie ◴[09 Apr 25 11:30 UTC] No.43630984[source]
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...

replies(2): >>43631179 #>>43631287 #
1. KwanEsq ◴[09 Apr 25 12:06 UTC] No.43631179[source]
And it's worth noting that since your comment later in that thread about sandbox being an issue, that's been fixed too as of Firefox 128: https://bugzilla.mozilla.org/show_bug.cgi?id=1411641