(attackanddefense.dev)

182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0s | source

Show context

davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]▶

>>43630388 (OP) #

Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #

gear54rus ◴[09 Apr 25 11:24 UTC] No.43630948[source]▶

>>43630753 #

One of the possible workarounds would be to just remove the damn header before it causes any further inconvenience. I think they do allow `webRequest` API usage in the store, don't they?

replies(2): >>43630991 #>>43631303 #

1. davidmurdoch ◴[09 Apr 25 12:28 UTC] No.43631303[source]▶

>>43630948 #

We modified the CSP to inject a per user generated nonce that exempts it script from the policy.

They said this was not allowed and removed it from the extension store.

↑

Hardening the Firefox Front End with Content Security Policies