HackerTrans
TopNewTrendsCommentsPastAskShowJobs

evilpie

no profile record

Submissions

Firefox Security and Privacy newsletter 2025 Q2

attackanddefense.dev
3 points·by evilpie·12 месяцев назад·0 comments

Hardening the Firefox Front End with Content Security Policies

attackanddefense.dev
185 points·by evilpie·в прошлом году·68 comments

comments

evilpie
·3 месяца назад·discuss
The HTML Sanitizer API has a subset of SVG that is allowed by the default configuration. It won't help you with sanitizing CSS at all however, style is simply not allowed by default.

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...

https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti...
evilpie
·3 месяца назад·discuss
> The Firefox team is experimenting with ways to improve the built-in Enhanced Tracking Protection feature in Firefox. This is one of the libraries we're going to experiment with.

> - We are not, and have no plans to abandon MV2 extensions. This will ensure certain types of add-ons, like ad-blockers, continue to work best in Firefox.

> - Firefox supports several ad-blockers as add-ons on Desktop and Android, including uBlock Origin.

> - We are not bundling Brave's ad-blocking system, we're testing one of their open source Rust components to improve how Firefox processes tracker lists.

https://www.reddit.com/r/firefox/comments/1sttf82/firefox_wi...

This is what the official Firefox account had to say when this came up on reddit.
evilpie
·4 месяца назад·discuss
Yes. It's in about:keyboard.
evilpie
·5 месяцев назад·discuss
You aren't reading it right.

  new Sanitizer({})
This Sanitizer will allow everything by default, but setHTML will still block elements/attributes that can lead to XSS.

You might want something like:

  new Sanitizer({ replaceWithChildrenElements: ["h1"], elements: [], attributes: [] })
This will replace <h1> elements with their children (i.e. text in this case), but disallow all other elements and attributes.
evilpie
·5 месяцев назад·discuss
Using an allowlist based Sanitizer you are definitely less likely to shoot yourself in the foot, but as long as you use setHTML you can't introduce XSS at least.
evilpie
·5 месяцев назад·discuss
We made sure to exclude WebExtensions code from web pages's Trusted Types restrictions enforcement. (Bugs can happen of course)
evilpie
·9 месяцев назад·discuss
If you want to use an XSS-unsafe Sanitizer you have to use setHTMLUnsafe.
evilpie
·9 месяцев назад·discuss
We enabled this by default in Firefox Nightly (only) this week.
evilpie
·в прошлом году·discuss
Make sure you have Firefox 138! From the release notes: > You can also now reposition a tab group on the tab bar by dragging it.
evilpie
·в прошлом году·discuss
Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

https://extensionworkshop.com/documentation/publish/add-on-p...
evilpie
·в прошлом году·discuss
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...
evilpie
·2 года назад·discuss
If it's disabled (greyed-out), then you already have telemetry disabled.
evilpie
·2 года назад·discuss
Firefox also has the about:config preference permissions.default.image: 2, which will block most images.
evilpie
·2 года назад·discuss
The profile actually shows the freeze is not caused by normal JS garbage collection, but by cycle collection. So probably something related to DOM nodes.
evilpie
·3 года назад·discuss
See also https://ooooooooo.ooo/. "9o3o is an official (but experimental) online version of the Flashpoint Archive."
evilpie
·3 года назад·discuss
https://www.pcgameshardware.de/Internet-Thema-34041/News/AVM...

Also one of the headings was mistranslated horribly.

In linked the article: "AVM threatens to ban the sale of Fritzbox routers". The original in German: "AVM droht Verkaufsverbot für Fritzbox-Router". Right translation is roughly: "AVM is threatened with a ban on the sale of Fritzbox routers".