HackerTrans
TopNewTrendsCommentsPastAskShowJobs

evilpie

no profile record

Submissions

Firefox Security and Privacy newsletter 2025 Q2

attackanddefense.dev
3 points·by evilpie·12 mesi fa·0 comments

Hardening the Firefox Front End with Content Security Policies

attackanddefense.dev
185 points·by evilpie·anno scorso·68 comments

comments

evilpie
·3 mesi fa·discuss
The HTML Sanitizer API has a subset of SVG that is allowed by the default configuration. It won't help you with sanitizing CSS at all however, style is simply not allowed by default.

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
evilpie
·3 mesi fa·discuss
> The Firefox team is experimenting with ways to improve the built-in Enhanced Tracking Protection feature in Firefox. This is one of the libraries we're going to experiment with.

> - We are not, and have no plans to abandon MV2 extensions. This will ensure certain types of add-ons, like ad-blockers, continue to work best in Firefox.

> - Firefox supports several ad-blockers as add-ons on Desktop and Android, including uBlock Origin.

> - We are not bundling Brave's ad-blocking system, we're testing one of their open source Rust components to improve how Firefox processes tracker lists.

https://www.reddit.com/r/firefox/comments/1sttf82/firefox_wi...

This is what the official Firefox account had to say when this came up on reddit.
evilpie
·4 mesi fa·discuss
Yes. It's in about:keyboard.
evilpie
·5 mesi fa·discuss
You aren't reading it right.

  new Sanitizer({})
This Sanitizer will allow everything by default, but setHTML will still block elements/attributes that can lead to XSS.

You might want something like:

  new Sanitizer({ replaceWithChildrenElements: ["h1"], elements: [], attributes: [] })
This will replace <h1> elements with their children (i.e. text in this case), but disallow all other elements and attributes.
evilpie
·5 mesi fa·discuss
Using an allowlist based Sanitizer you are definitely less likely to shoot yourself in the foot, but as long as you use setHTML you can't introduce XSS at least.
evilpie
·5 mesi fa·discuss
We made sure to exclude WebExtensions code from web pages's Trusted Types restrictions enforcement. (Bugs can happen of course)
evilpie
·9 mesi fa·discuss
If you want to use an XSS-unsafe Sanitizer you have to use setHTMLUnsafe.
evilpie
·9 mesi fa·discuss
We enabled this by default in Firefox Nightly (only) this week.
evilpie
·anno scorso·discuss
Make sure you have Firefox 138! From the release notes: > You can also now reposition a tab group on the tab bar by dragging it.
evilpie
·anno scorso·discuss
Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

https://extensionworkshop.com/documentation/publish/add-on-p...
evilpie
·anno scorso·discuss
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...
evilpie
·2 anni fa·discuss
If it's disabled (greyed-out), then you already have telemetry disabled.
evilpie
·2 anni fa·discuss
Firefox also has the about:config preference permissions.default.image: 2, which will block most images.