Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Firefox CSP Issue may cause extension conflicts

Karlston

By Karlston
in Software News

Recommended Posts

Karlston

Karlston

Posted
Posted

Mozilla Firefox has an issue right now that is causing conflicts if multiple extensions are installed that modify CSP headers on visited sites.

 

CSP, which stands for Content Security Policy, is a security addition that sites may use to detect and mitigate certain attack types such as Cross Site Scripting or data injections.

 

Browser extensions may use CSP injection to modify headers. The popular content blocker uBlock Origin may use it to block remote fonts from loading on pages visited in the browser, and Canvas Blocker uses it to block data URL pages.

 

The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection for some functionality. The team did a great job analyzing the issue and collecting all the bits and pieces. You may also want to read through the issue description on GitHub for additional information.

 

You find popular extensions like uBlock Origin, uMatrix, or HTTPS Everywhere on the list as well as others such as Enterprise Policy Generator, Cookie AutoDelete, or Skip Redirect.

 

Addendum: only entries with a red exclamation mark use CSP injection.

The issue

firefox add-ons csp issue

 

If there is more than one extension active on a page that uses CPS injection, only one is used. Imagine the following scenario: you have a content blocker and another extension installed that both use CSP injection.

 

Only one of those will actually be able to do that, the other won't. In other words, it can happen that some extensions won't work 100% because of the conflict.

when two or more extensions use CSP injection to modify headers on the same page, only one wins. It doesn't matter who: first loaded, first modified - don't care: the fact is only one extension will achieve what it is meant to, the other(s) will fail

Basic example? Content blockers not blocking certain content because another extension got priority.

 

The issue appears to be Firefox specific at the time. The bug was reported to Mozilla some time ago (more than a year ago) and Mozilla assigned it a priority of 2. P2 issues are not exactly high placed in the development queue and it is unclear if or when the issue will be resolved.

 

Firefox does not seem to reveal the conflict to the user of the browser, and it is not trivial to find out if an extension does CSP injections (search for content-security-policy in all files of an extension, but first extract it to the local system or use Extension Source Viewer to view it). You may use Notepad++ to search for text in all files, the excellent search tool Everything, or the command line tool findstr.

 

You may be able to resolve the issue by either a) disabling the functionality in extensions if possible or b) uninstalling add-ons.

 

Source: Firefox CSP Issue may cause extension conflicts (gHacks - Martin Brinkmann)

Link to comment
Share on other sites
  • Views 612
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...