HackerTrans
TopNewTrendsCommentsPastAskShowJobs

evilpie

no profile record

Submissions

Firefox Security and Privacy newsletter 2025 Q2

attackanddefense.dev
3 points·by evilpie·12 bulan yang lalu·0 comments

Hardening the Firefox Front End with Content Security Policies

attackanddefense.dev
185 points·by evilpie·tahun lalu·68 comments

comments

evilpie
·3 bulan yang lalu·discuss
The HTML Sanitizer API has a subset of SVG that is allowed by the default configuration. It won't help you with sanitizing CSS at all however, style is simply not allowed by default.

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
evilpie
·3 bulan yang lalu·discuss
> The Firefox team is experimenting with ways to improve the built-in Enhanced Tracking Protection feature in Firefox. This is one of the libraries we're going to experiment with.

> - We are not, and have no plans to abandon MV2 extensions. This will ensure certain types of add-ons, like ad-blockers, continue to work best in Firefox.

> - Firefox supports several ad-blockers as add-ons on Desktop and Android, including uBlock Origin.

> - We are not bundling Brave's ad-blocking system, we're testing one of their open source Rust components to improve how Firefox processes tracker lists.

https://www.reddit.com/r/firefox/comments/1sttf82/firefox_wi...

This is what the official Firefox account had to say when this came up on reddit.
evilpie
·4 bulan yang lalu·discuss
Yes. It's in about:keyboard.
evilpie
·5 bulan yang lalu·discuss
You aren't reading it right.

  new Sanitizer({})
This Sanitizer will allow everything by default, but setHTML will still block elements/attributes that can lead to XSS.

You might want something like:

  new Sanitizer({ replaceWithChildrenElements: ["h1"], elements: [], attributes: [] })
This will replace <h1> elements with their children (i.e. text in this case), but disallow all other elements and attributes.
evilpie
·5 bulan yang lalu·discuss
Using an allowlist based Sanitizer you are definitely less likely to shoot yourself in the foot, but as long as you use setHTML you can't introduce XSS at least.
evilpie
·5 bulan yang lalu·discuss
We made sure to exclude WebExtensions code from web pages's Trusted Types restrictions enforcement. (Bugs can happen of course)
evilpie
·9 bulan yang lalu·discuss
If you want to use an XSS-unsafe Sanitizer you have to use setHTMLUnsafe.
evilpie
·9 bulan yang lalu·discuss
We enabled this by default in Firefox Nightly (only) this week.
evilpie
·tahun lalu·discuss
Make sure you have Firefox 138! From the release notes: > You can also now reposition a tab group on the tab bar by dragging it.
evilpie
·tahun lalu·discuss
Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

https://extensionworkshop.com/documentation/publish/add-on-p...
evilpie
·tahun lalu·discuss
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...
evilpie
·2 tahun yang lalu·discuss
If it's disabled (greyed-out), then you already have telemetry disabled.
evilpie
·2 tahun yang lalu·discuss
Firefox also has the about:config preference permissions.default.image: 2, which will block most images.
evilpie
·2 tahun yang lalu·discuss
The profile actually shows the freeze is not caused by normal JS garbage collection, but by cycle collection. So probably something related to DOM nodes.
evilpie
·3 tahun yang lalu·discuss
See also https://ooooooooo.ooo/. "9o3o is an official (but experimental) online version of the Flashpoint Archive."
evilpie
·3 tahun yang lalu·discuss
https://www.pcgameshardware.de/Internet-Thema-34041/News/AVM...

Also one of the headings was mistranslated horribly.

In linked the article: "AVM threatens to ban the sale of Fritzbox routers". The original in German: "AVM droht Verkaufsverbot für Fritzbox-Router". Right translation is roughly: "AVM is threatened with a ban on the sale of Fritzbox routers".
evilpie
·3 tahun yang lalu·discuss
See also Dario Casali's Half Life 25yr anniversary playthrough: https://www.youtube.com/playlist?list=PLk5gaNp4x_AVIJviyHueH...
evilpie
·3 tahun yang lalu·discuss
Igalia is regularly contracted to work on new Firefox features, so this is already happening.
evilpie
·3 tahun yang lalu·discuss
[deleted because I don't to be accused for ragebaiting]
evilpie
·3 tahun yang lalu·discuss
As far as I can tell from my own recommended extensions is that every update needs to be approved/reviewed before it's made generally available.