Readit News logoReadit News
evilpie commented on Making Firefox's right-click not suck with about:config   joshua.hu/firefox-making-... · Posted by u/mmsc
tdeck · 11 days ago
Is there a way to disable Ctrl+Shift+C yet? That's my only longstanding complaint in Firefox.
evilpie · 11 days ago
Yes. It's in about:keyboard.
evilpie commented on Goodbye InnerHTML, Hello SetHTML: Stronger XSS Protection in Firefox 148   hacks.mozilla.org/2026/02... · Posted by u/todsacerdoti
jerf · 20 days ago
If I'm reading this right,

    .setHTML("<h1>Hello</h1>", new Sanitizer({}))
will strip all elements out. That's not too difficult.

Plus this is defense-in-depth. Backends will still need to sanitize usernames on some standard anyhow (there's not a lot of systems out there that should take arbitrary Unicode input as usernames), and backends SHOULD (in the RFC sense [1]) still HTML-escape anything they output that they don't want to be raw HTML.

[1]: https://www.rfc-editor.org/rfc/rfc2119

evilpie · 20 days ago
You aren't reading it right.

  new Sanitizer({})
This Sanitizer will allow everything by default, but setHTML will still block elements/attributes that can lead to XSS.

You might want something like:

  new Sanitizer({ replaceWithChildrenElements: ["h1"], elements: [], attributes: [] })
This will replace <h1> elements with their children (i.e. text in this case), but disallow all other elements and attributes.

evilpie commented on Goodbye InnerHTML, Hello SetHTML: Stronger XSS Protection in Firefox 148   hacks.mozilla.org/2026/02... · Posted by u/todsacerdoti
cogman10 · 20 days ago
Seems like this has a bunch of footguns. Particularly if you interact with the Sanitizer api, and particularly if you use the "remove" sanitizer api.

Don't get me wrong, better than nothing, but also really really consider just using "setText" instead and never allow the user to add any sort of HTML too the document.

evilpie · 20 days ago
Using an allowlist based Sanitizer you are definitely less likely to shoot yourself in the foot, but as long as you use setHTML you can't introduce XSS at least.
evilpie commented on Firefox 148 Launches with AI Kill Switch Feature and More Enhancements   serverhost.com/blog/firef... · Posted by u/shaunpud
TeMPOraL · 20 days ago
Question is, can you sidestep or disable them in user scripts or in developer tools, without disabling CSP entirely or doing something even more invasive (and generally precluding use of that browser instance for browsing)?
evilpie · 20 days ago
We made sure to exclude WebExtensions code from web pages's Trusted Types restrictions enforcement. (Bugs can happen of course)
evilpie commented on Element: setHTML() method   developer.mozilla.org/en-... · Posted by u/todsacerdoti
ishouldbework · 5 months ago
> It then removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.

Emphasis mine. I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

If the method was called setXSSSafeSubsetOfHTML sure I guess, but feels weird for setHTML to have impossible-to-override filter.

evilpie · 5 months ago
If you want to use an XSS-unsafe Sanitizer you have to use setHTMLUnsafe.
evilpie commented on Element: setHTML() method   developer.mozilla.org/en-... · Posted by u/todsacerdoti
evilpie · 5 months ago
We enabled this by default in Firefox Nightly (only) this week.
Posted by u/evilpie 8 months ago
Firefox Security and Privacy newsletter 2025 Q2attackanddefense.dev/2025...
evilpie commented on Firefox tab groups are here   blog.mozilla.org/en/firef... · Posted by u/TangerineDream
johnnyanmac · a year ago
odd. There's one nitpick I have where you can't move a tab group (you gotta move other tabs around it), but it otherwise is everything I wanted. It even "just works" with no issue alongside tab containers, letting you mix in groups from different containers into one group.
evilpie · a year ago
Make sure you have Firefox 138! From the release notes: > You can also now reposition a tab group on the tab bar by dragging it.
evilpie commented on Hardening the Firefox Front End with Content Security Policies   attackanddefense.dev/2025... · Posted by u/evilpie
gear54rus · a year ago
One of the possible workarounds would be to just remove the damn header before it causes any further inconvenience. I think they do allow `webRequest` API usage in the store, don't they?
evilpie · a year ago
Removing security headers like Content-Security-Policy is forbidden by the addons.mozilla.org policy.

https://extensionworkshop.com/documentation/publish/add-on-p...

evilpie commented on Hardening the Firefox Front End with Content Security Policies   attackanddefense.dev/2025... · Posted by u/evilpie
davidmurdoch · a year ago
Firefox really needs to fix their CSP for extensions before this kind of thing.

Here is the 9 year old bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

And their extension store does not permit workarounds, even though they themselves have confirmed it's a bug.

evilpie · a year ago
While this is definitely annoying, most of the time this can be worked around by the extension without workarounds that themself weaken security.

For example I helped uBlock Origin out in 2022 when they ran into this: https://github.com/uBlockOrigin/uBlock-issues/issues/235#iss...

e

u/evilpie

KarmaCake day1890January 16, 2011
About
Mozilla Software Engineer.

https://hachyderm.io/@evilpie

View Original