←back to thread

Hardening the Firefox Front End with Content Security Policies

(attackanddefense.dev)
182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0s | source
Show context
davidmurdoch ◴[09 Apr 25 10:51 UTC] No.43630753[source]
Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

replies(4): >>43630784 #>>43630796 #>>43630948 #>>43630984 #
pama ◴[09 Apr 25 10:59 UTC] No.43630796[source]
Wouldn’t fixing this bug reduce security?
replies(2): >>43630891 #>>43631166 #
shakna ◴[09 Apr 25 11:14 UTC] No.43630891[source]
If you are using filter scripts, to block specific domains or script payloads, that extension can't load on a properly secured CSP page. And that page may be using CSP to protect throwing up ads... Or malware.
replies(1): >>43633800 #
1. pama ◴[09 Apr 25 16:18 UTC] No.43633800{3}[source]
Thanks.