HackerTrans
トップ新着トレンドコメント過去質問紹介求人

evilpie

no profile record

投稿

Firefox Security and Privacy newsletter 2025 Q2

attackanddefense.dev
3 ポイント·投稿者 evilpie·12 か月前·0 コメント

Hardening the Firefox Front End with Content Security Policies

attackanddefense.dev
185 ポイント·投稿者 evilpie·昨年·68 コメント

コメント

evilpie
·3 か月前·議論
The HTML Sanitizer API has a subset of SVG that is allowed by the default configuration. It won't help you with sanitizing CSS at all however, style is simply not allowed by default.

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
evilpie
·3 か月前·議論
> The Firefox team is experimenting with ways to improve the built-in Enhanced Tracking Protection feature in Firefox. This is one of the libraries we're going to experiment with.

> - We are not, and have no plans to abandon MV2 extensions. This will ensure certain types of add-ons, like ad-blockers, continue to work best in Firefox.

> - Firefox supports several ad-blockers as add-ons on Desktop and Android, including uBlock Origin.

> - We are not bundling Brave's ad-blocking system, we're testing one of their open source Rust components to improve how Firefox processes tracker lists.

https://www.reddit.com/r/firefox/comments/1sttf82/firefox_wi...

This is what the official Firefox account had to say when this came up on reddit.
evilpie
·4 か月前·議論
Yes. It's in about:keyboard.
evilpie
·5 か月前·議論
You aren't reading it right.

  new Sanitizer({})
This Sanitizer will allow everything by default, but setHTML will still block elements/attributes that can lead to XSS.

You might want something like:

  new Sanitizer({ replaceWithChildrenElements: ["h1"], elements: [], attributes: [] })
This will replace <h1> elements with their children (i.e. text in this case), but disallow all other elements and attributes.
evilpie
·5 か月前·議論
Using an allowlist based Sanitizer you are definitely less likely to shoot yourself in the foot, but as long as you use setHTML you can't introduce XSS at least.
evilpie
·5 か月前·議論
We made sure to exclude WebExtensions code from web pages's Trusted Types restrictions enforcement. (Bugs can happen of course)
evilpie
·9 か月前·議論
If you want to use an XSS-unsafe Sanitizer you have to use setHTMLUnsafe.
evilpie
·9 か月前·議論
We enabled this by default in Firefox Nightly (only) this week.
evilpie
·昨年·議論
Make sure you have Firefox 138! From the release notes: > You can also now reposition a tab group on the tab bar by dragging it.
evilpie
·昨年·議論
Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

https://extensionworkshop.com/documentation/publish/add-on-p...
evilpie
·昨年·議論
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...
evilpie
·2 年前·議論
If it's disabled (greyed-out), then you already have telemetry disabled.
evilpie
·2 年前·議論
Firefox also has the about:config preference permissions.default.image: 2, which will block most images.
evilpie
·2 年前·議論
The profile actually shows the freeze is not caused by normal JS garbage collection, but by cycle collection. So probably something related to DOM nodes.
evilpie
·3 年前·議論
See also https://ooooooooo.ooo/. "9o3o is an official (but experimental) online version of the Flashpoint Archive."
evilpie
·3 年前·議論
https://www.pcgameshardware.de/Internet-Thema-34041/News/AVM...

Also one of the headings was mistranslated horribly.

In linked the article: "AVM threatens to ban the sale of Fritzbox routers". The original in German: "AVM droht Verkaufsverbot für Fritzbox-Router". Right translation is roughly: "AVM is threatened with a ban on the sale of Fritzbox routers".
evilpie
·3 年前·議論
See also Dario Casali's Half Life 25yr anniversary playthrough: https://www.youtube.com/playlist?list=PLk5gaNp4x_AVIJviyHueH...