(attackanddefense.dev)

182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0s | source

Show context

davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]▶

>>43630388 (OP) #

Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #

Semaphor ◴[09 Apr 25 10:58 UTC] No.43630784[source]▶

>>43630753 #

Having fewer permissions for extensions than one might want seems fairly less important to making the browser more secure…

replies(2): >>43631143 #>>43641315 #

joshuaissac ◴[09 Apr 25 12:00 UTC] No.43631143[source]▶

>>43630784 #

Arguably, it can make it less secure by reducing the user's control over what content the browser loads or what scripts it executes. For example, users may be using extensions to selectively replace harmful content (like intrusive JavaScript, tracking) with benign content. It is a balance between security for the user and security for the website owner.

replies(2): >>43631244 #>>43633386 #

1. pessimizer ◴[09 Apr 25 15:42 UTC] No.43633386{3}[source]▶

>>43631143 #

> It is a balance between security for the user and security for the website owner.

Which in the case of browsers should always be decided for the user, rather than balanced. The browser is a user agent. It is running on the user's hardware.

↑

Hardening the Firefox Front End with Content Security Policies