Firefox CSP Issue may cause extension conflicts - harlan4096 - 27 May 19
Quote:
Mozilla Firefox has an issue right now that is causing conflicts if multiple extensions are installed that modify CSP headers on visited sites.
CSP, which stands for Content Security Policy, is a security addition that sites may use to detect and mitigate certain attack types such as Cross Site Scripting or data injections.
Browser extensions may use CSP injection to modify headers. The popular content blocker uBlock Origin may use it to block remote fonts from loading on pages visited in the browser, and Canvas Blocker uses it to block data URL pages.
The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection for some functionality. The team did a great job analyzing the issue and collecting all the bits and pieces. You may also want to read through the issue description on GitHub for additional information.
You find popular extensions like uBlock Origin, uMatrix, or HTTPS Everywhere on the list as well as others such as Enterprise Policy Generator, Cookie AutoDelete, or Skip Redirect.
Addendum: only entries with a red exclamation mark use CSP injection.
The issue
If there is more than one extension active on a page that uses CSP injection, only one is used. Imagine the following scenario: you have a content blocker and another extension installed that both use CSP injection.
Only one of those will actually be able to do that, the other won't. In other words, it can happen that some extensions won't work 100% because of the conflict.
Quote:when two or more extensions use CSP injection to modify headers on the same page, only one wins. It doesn't matter who: first loaded, first modified - don't care: the fact is only one extension will achieve what it is meant to, the other(s) will fail
Continue Reading
|