HackerTrans
TopNewTrendsCommentsPastAskShowJobs

evilpie

no profile record

Submissions

Firefox Security and Privacy newsletter 2025 Q2

attackanddefense.dev
3 points·by evilpie·hace 12 meses·0 comments

Hardening the Firefox Front End with Content Security Policies

attackanddefense.dev
185 points·by evilpie·el año pasado·68 comments

comments

evilpie
·hace 3 meses·discuss
The HTML Sanitizer API has a subset of SVG that is allowed by the default configuration. It won't help you with sanitizing CSS at all however, style is simply not allowed by default.

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
evilpie
·hace 3 meses·discuss
> The Firefox team is experimenting with ways to improve the built-in Enhanced Tracking Protection feature in Firefox. This is one of the libraries we're going to experiment with.

> - We are not, and have no plans to abandon MV2 extensions. This will ensure certain types of add-ons, like ad-blockers, continue to work best in Firefox.

> - Firefox supports several ad-blockers as add-ons on Desktop and Android, including uBlock Origin.

> - We are not bundling Brave's ad-blocking system, we're testing one of their open source Rust components to improve how Firefox processes tracker lists.

https://www.reddit.com/r/firefox/comments/1sttf82/firefox_wi...

This is what the official Firefox account had to say when this came up on reddit.
evilpie
·hace 4 meses·discuss
Yes. It's in about:keyboard.
evilpie
·hace 5 meses·discuss
You aren't reading it right.

  new Sanitizer({})
This Sanitizer will allow everything by default, but setHTML will still block elements/attributes that can lead to XSS.

You might want something like:

  new Sanitizer({ replaceWithChildrenElements: ["h1"], elements: [], attributes: [] })
This will replace <h1> elements with their children (i.e. text in this case), but disallow all other elements and attributes.
evilpie
·hace 5 meses·discuss
Using an allowlist based Sanitizer you are definitely less likely to shoot yourself in the foot, but as long as you use setHTML you can't introduce XSS at least.
evilpie
·hace 5 meses·discuss
We made sure to exclude WebExtensions code from web pages's Trusted Types restrictions enforcement. (Bugs can happen of course)
evilpie
·hace 9 meses·discuss
If you want to use an XSS-unsafe Sanitizer you have to use setHTMLUnsafe.
evilpie
·hace 9 meses·discuss
We enabled this by default in Firefox Nightly (only) this week.
evilpie
·el año pasado·discuss
Make sure you have Firefox 138! From the release notes: > You can also now reposition a tab group on the tab bar by dragging it.
evilpie
·el año pasado·discuss
Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

https://extensionworkshop.com/documentation/publish/add-on-p...
evilpie
·el año pasado·discuss
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...
evilpie
·hace 2 años·discuss
If it's disabled (greyed-out), then you already have telemetry disabled.
evilpie
·hace 2 años·discuss
Firefox also has the about:config preference permissions.default.image: 2, which will block most images.