←back to thread

Hardening the Firefox Front End with Content Security Policies

(attackanddefense.dev)
182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0s | source
Show context
davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]
Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #
Semaphor ◴[09 Apr 25 10:58 UTC] No.43630784[source]
Having fewer permissions for extensions than one might want seems fairly less important to making the browser more secure…
replies(2): >>43631143 #>>43641315 #
joshuaissac ◴[09 Apr 25 12:00 UTC] No.43631143[source]
Arguably, it can make it less secure by reducing the user's control over what content the browser loads or what scripts it executes. For example, users may be using extensions to selectively replace harmful content (like intrusive JavaScript, tracking) with benign content. It is a balance between security for the user and security for the website owner.
replies(2): >>43631244 #>>43633386 #
1. gear54rus ◴[09 Apr 25 12:19 UTC] No.43631244{3}[source]
Exactly. It's been clearly established that web extensions' code is more priveleged than a page code, as it should be. The amount of people going 'muh sesoority' in this thread is baffling.