Firefox CSP Issue may cause extension conflicts - gHacks Tech News

Firefox CSP Issue may cause extension conflicts

Mozilla Firefox has an issue right now that is causing conflicts if multiple extensions are installed that modify CSP headers on visited sites.

CSP, which stands for Content Security Policy, is a security addition that sites may use to detect and mitigate certain attack types such as Cross Site Scripting or data injections.

Browser extensions may use CSP injection to modify headers. The popular content blocker uBlock Origin may use it to block remote fonts from loading on pages visited in the browser, and Canvas Blocker uses it to block data URL pages.

The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection for some functionality. The team did a great job analyzing the issue and collecting all the bits and pieces. You may also want to read through the issue description on GitHub for additional information.

You find popular extensions like uBlock Origin, uMatrix, or HTTPS Everywhere on the list as well as others such as Enterprise Policy Generator, Cookie AutoDelete, or Skip Redirect.

Addendum: only entries with a red exclamation mark use CSP injection.

The issue

firefox add-ons csp issue

If there is more than one extension active on a page that uses CSP injection, only one is used. Imagine the following scenario: you have a content blocker and another extension installed that both use CSP injection.

Only one of those will actually be able to do that, the other won't. In other words, it can happen that some extensions won't work 100% because of the conflict.

when two or more extensions use CSP injection to modify headers on the same page, only one wins. It doesn't matter who: first loaded, first modified - don't care: the fact is only one extension will achieve what it is meant to, the other(s) will fail

Basic example? Content blockers not blocking certain content because another extension got priority.

The issue appears to be Firefox specific at the time. The bug was reported to Mozilla some time ago (more than a year ago) and Mozilla assigned it a priority of 2. P2 issues are not exactly high placed in the development queue and it is unclear if or when the issue will be resolved.

Firefox does not seem to reveal the conflict to the user of the browser, and it is not trivial to find out if an extension does CSP injections (search for content-security-policy in all files of an extension, but first extract it to the local system or use Extension Source Viewer to view it). You may use Notepad++ to search for text in all files, the excellent search tool Everything, or the command line tool findstr.

You may be able to resolve the issue by either a) disabling the functionality in extensions if possible or b) uninstalling add-ons.

Now You: What is your take on the issue? Too small to fix? Urgent fix necessary?

Summary
Firefox CSP Issue may cause extension conflicts
Article Name
Firefox CSP Issue may cause extension conflicts
Description
Mozilla Firefox has an issue right now that is causing conflicts if multiple extensions are installed that modify CSP headers on visited sites.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Sören Hentzschel said on May 23, 2019 at 9:08 pm
    Reply

    > The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection for some functionality. The team did a great job analyzing the issue and collecting all the bits and pieces. You may also want to read through the issue description on GitHub for additional information.
    >
    > You find popular extensions like uBlock Origin, uMatrix, or HTTPS Everywhere on the list as well as others such as Enterprise Policy Generator, Cookie AutoDelete, or Skip Redirect.

    Enterprise Policy Generator is not using CSP injection so I don’t know why it was mentioned.

    1. Pants said on May 24, 2019 at 3:12 am
      Reply

      Just to be clear, the wiki page also doesn’t say that. It marks those that do use CSP injection with a red exclamation etc. I think Martin was referring to the entire list – could definitely be worded a bit clearer

      1. Martin Brinkmann said on May 24, 2019 at 5:49 am
        Reply

        Right, made this clearer.

      2. Sören Hentzschel said on May 24, 2019 at 11:17 am
        Reply

        well, Enterprise Policy Generator has nothing to do with CSP / the article at all so it’s still unclear why it’s mentioned in a “Firefox CSP Issue may cause extension conflicts” context. ;-)

      3. Martin Brinkmann said on May 24, 2019 at 12:50 pm
        Reply

        The list includes extensions that were tested for CSP injection. Yours is clean, and the inclusion helps users who may wonder whether it is.

  2. Yuliya said on May 23, 2019 at 9:45 pm
    Reply

    Top quality browser, right there :^) lmao
    Now this explains why I see people complaining about their adblocker not working. And they happen to be using this particular Chromium alternative. The sad part is that they blame uB0 instead of criticising mozilla’s slapdash programming.

    1. Benjamin said on May 24, 2019 at 3:56 pm
      Reply

      that is perhaps the intention… since in certain ways uBO wipes out the other ones business model…

  3. Hy said on May 23, 2019 at 11:09 pm
    Reply

    Martin asked: “What is your take on the issue? Too small to fix? Urgent fix necessary?”

    Wow! Thanks a lot for this. I had no idea. gHacks always provides essential reading for users of FF and other software.

    Gee, do I want ads and trackers when I think I’m blocking them? :) Or do I want to be canvas-fingerprinted when I think I’m blocking it? Or do I want cookies piling up when I think they’re being deleted? :)

    What’s my take? Urgent fix necessary, no doubt!

    It’s outrageous that Mozilla has let this go on for over one year! And assigning it level two priority shows how much they really care about users’ privacy. But the worst and most inexcusable thing is that Mozilla never fixed it, and never told users! Unbelievable. So Mozilla keeps promoting, and users keep blithely installing, add-ons that may or may not work 100%. And there’s no way for users to ever notice that the add-ons aren’t working. Letting people think they protected when they’re not is inexcusable. Shame on Mozilla!

    A fuller list of add-ons which are known to be or which may be affected would be great to have.

  4. uBlock-user said on May 23, 2019 at 11:12 pm
    Reply

    I filed it back on May 20th 2018 when I discovered it first and reported in the team discusssions with uBO team, back then I hoped it won’t take months and now a year, but Firefox devs don’t consider this worthy of P1 priority so it’s lost in the graveyard of bugs somewhere on the bugzilla.

    1. Pants said on May 24, 2019 at 7:42 am
      Reply

      Thanks uBlock-user .. keep plugging away … its ONLY been OVER 18+ months since they knew about it (https://bugzilla.mozilla.org/show_bug.cgi?id=1377689#c26) and decided to do not address it and 18 months since Nov 2017 since earthlng reported it ( https://bugzilla.mozilla.org/show_bug.cgi?id=1417249 ) and we all knew about it.

      Your bug is the one that at least has a dialog going … https://bugzilla.mozilla.org/show_bug.cgi?id=1462989 .. here’s hoping enough people with a voice get heard on this, since now Martin has done an article – maybe the backlash will spur something

      PS: I hate that this has happened, and please note that I’m not fully informed. I do not know what it entails or how complex it is to achieve, or how much performance cost there might be. But I am glad that after 18 months, maybe something will be done

      1. uBlock-user said on May 24, 2019 at 8:37 pm
        Reply
  5. JW said on May 23, 2019 at 11:20 pm
    Reply

    Wow, thank you!

    1. JW said on May 24, 2019 at 5:36 pm
      Reply

      By the way, typo here:

      If there is more than one extension active on a page that uses CPS[sic] injection, only one is used. Imagine the following scenario: you have a content blocker and another extension installed that both use CSP injection.

      Small, but thought I’d let you know. Still, thank you for writing this.

  6. Pants said on May 24, 2019 at 12:43 am
    Reply

    > Mozilla Firefox has an issue right now … The bug was reported to Mozilla some time ago (more than a year ago)

    Its been a **known** issue since Nov 2017: The problem is a result of limitations in the new WebExt APIs, so it became more apparent when FF57 landed (and legacy extensions were disabled).

    – 1417249 – https://bugzilla.mozilla.org/show_bug.cgi?id=1417249 – got closed down as duplicate of a later bug (1477696), filed by earthlng
    – 1421725 – https://bugzilla.mozilla.org/show_bug.cgi?id=1421725 – lodged when 58 was stable, gathering dust
    – 1462989 – https://bugzilla.mozilla.org/show_bug.cgi?id=1462989 – lodged by uBlock-user and seems to be the one with the most momentum
    – 1477696 – https://bugzilla.mozilla.org/show_bug.cgi?id=1477696 – ^^ the later bug with tumbleweeds and crickets

    > The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection

    Only maintaining the issue for extensions we recommend. Don’t care about other extensions. For example, NoScript uses a listener on a loop to inject it’s CSP when required, and basically wins out over all others. But we don’t recommend NS.

  7. Pants said on May 24, 2019 at 12:46 am
    Reply

    > What is your take on the issue? Too small to fix? Urgent fix necessary?

    I like your dry German humor, inciting the readers like that: “too small to fix” … more like should have been addressed 18 months ago, P1

  8. Sunny said on May 24, 2019 at 1:53 am
    Reply

    Typo error: The ‘hen’ in ‘hen two or more extensions use CSP injection’ should be ‘When’.

  9. 12bytes.org said on May 24, 2019 at 3:21 am
    Reply

    glad to see more attention being brought to this issue – it is absolutely important that it gets fixed and the fact that Moz has dragged it’s feet on this is absurd

    please vote for this bug…
    https://bugzilla.mozilla.org/show_bug.cgi?id=1421725

  10. Settingschanger said on May 24, 2019 at 4:41 am
    Reply

    This has nothing to do with the article itself. I would like to steer some attention to the change in “Firefox Settings” almost every time there is an update. Today (I am on Mac) FF changed my settings without asking again. It was in Prereferences – Browsing – recommend features as you browse. Before that I had “Snippets” checked without my input. Wondering whatelse they change without telling you. Shitty browser, but still the best Shit I can find for my browsing.

  11. Anonymous said on May 24, 2019 at 5:09 am
    Reply

    As always Firefox want to copy Chrome but doing it half assedly.

    “The same thing happens in Chromium, at least, if they still follow their documented behavior. If multiple extensions modify the same header, there is a conflict, and no matter how we try to resolve that conflict, it will upset someone. Chrome’s documented behavior is “If more than one extension attempts to modify the request, the most recently installed extension wins and all others are ignored” though its actual behavior may differ.”

    “AFAIK, the headers are merged to avoid this issue happening there. uBO inserts a CSP in Chromium the same way it does in Firefox, but yet headers are merged in Chromium and not in Firefox, this is why I call it a bug as the merging of headers is something I expected on the contrary.”

    “So was breakage of extensions also expected ? Because this only happens in Firefox and not in Chromium and why was this considered expected in the first place if ultimately it breaks extensions ?”

    “It’s not a bug. It works as documented and expected. Changing the expected behavior in cases like this is an enhancement.”

    Yes, “enhancement” lol

  12. Anonymous said on May 24, 2019 at 2:29 pm
    Reply

    Minor performance improvements used as an excuse to sacrifice privacy and extension capabilities, especially adblockers. Sneakily betraying users expectations that their extensions are protecting them. This is the current Mozilla philosophy.

  13. a-user said on May 24, 2019 at 3:29 pm
    Reply

    I don’t get it.
    What do i need now? in uBlock Origin i block CSP reports, block remote fonts and i use uMatrix

  14. killmefast said on May 28, 2019 at 7:37 am
    Reply

    Here’s who’s to blame for the all the assassin changes mozilla makes https://www.mozilla.org/en-US/about/leadership/ in firefox.

    Not trying to get too political but a high level of estrogen in a corporate structure will faulter and eventually crumble.

    1. Anonymous said on May 28, 2019 at 3:54 pm
      Reply

      Mozilla being anti-user has nothing to do with hiring women, disabled black muslim mexican transsexuals, or anything else frowned upon by more conservative people like you. Not trying to get too political but those have exactly the same potential as anyone else in being corrupt assholes once in a position of corporate power. It’s more about where they get money from.

  15. Arwin said on June 1, 2019 at 11:18 am
    Reply

    Comments on the bugzilla ticket (1462989) have been closed for “advocacy chatter”, the moderation is really disappointing.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.