←back to thread

Hardening the Firefox Front End with Content Security Policies

(attackanddefense.dev)
182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0.21s | source
Show context
davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]
Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #
evilpie ◴[09 Apr 25 11:30 UTC] No.43630984[source]
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...

replies(2): >>43631179 #>>43631287 #
1. davidmurdoch ◴[09 Apr 25 12:25 UTC] No.43631287[source]
Thanks for this! I'll look into implementing it soon.