Firefox CSP Issue may cause extension conflicts
Mozilla Firefox has an issue right now that is causing conflicts if multiple extensions are installed that modify CSP headers on visited sites.
CSP, which stands for Content Security Policy, is a security addition that sites may use to detect and mitigate certain attack types such as Cross Site Scripting or data injections.
Browser extensions may use CSP injection to modify headers. The popular content blocker uBlock Origin may use it to block remote fonts from loading on pages visited in the browser, and Canvas Blocker uses it to block data URL pages.
The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection for some functionality. The team did a great job analyzing the issue and collecting all the bits and pieces. You may also want to read through the issue description on GitHub for additional information.
You find popular extensions like uBlock Origin, uMatrix, or HTTPS Everywhere on the list as well as others such as Enterprise Policy Generator, Cookie AutoDelete, or Skip Redirect.
Addendum: only entries with a red exclamation mark use CSP injection.
The issue
If there is more than one extension active on a page that uses CSP injection, only one is used. Imagine the following scenario: you have a content blocker and another extension installed that both use CSP injection.
Only one of those will actually be able to do that, the other won't. In other words, it can happen that some extensions won't work 100% because of the conflict.
when two or more extensions use CSP injection to modify headers on the same page, only one wins. It doesn't matter who: first loaded, first modified - don't care: the fact is only one extension will achieve what it is meant to, the other(s) will fail
Basic example? Content blockers not blocking certain content because another extension got priority.
The issue appears to be Firefox specific at the time. The bug was reported to Mozilla some time ago (more than a year ago) and Mozilla assigned it a priority of 2. P2 issues are not exactly high placed in the development queue and it is unclear if or when the issue will be resolved.
Firefox does not seem to reveal the conflict to the user of the browser, and it is not trivial to find out if an extension does CSP injections (search for content-security-policy in all files of an extension, but first extract it to the local system or use Extension Source Viewer to view it). You may use Notepad++ to search for text in all files, the excellent search tool Everything, or the command line tool findstr.
You may be able to resolve the issue by either a) disabling the functionality in extensions if possible or b) uninstalling add-ons.
Now You: What is your take on the issue? Too small to fix? Urgent fix necessary?
It seems the bug have been fixed, probably landing on FF77!
https://bugzilla.mozilla.org/show_bug.cgi?id=1462989
“Urgent fix necessary?”
Yes. Absolutely.
“advocacy chatter” != “We at Mozilla care for your privacy!!1!1”
Comments on the bugzilla ticket (1462989) have been closed for “advocacy chatter”, the moderation is really disappointing.
Here’s who’s to blame for the all the assassin changes mozilla makes https://www.mozilla.org/en-US/about/leadership/ in firefox.
Not trying to get too political but a high level of estrogen in a corporate structure will faulter and eventually crumble.
Mozilla being anti-user has nothing to do with hiring women, disabled black muslim mexican transsexuals, or anything else frowned upon by more conservative people like you. Not trying to get too political but those have exactly the same potential as anyone else in being corrupt assholes once in a position of corporate power. It’s more about where they get money from.
There isn’t a direct causal role, no. There are more than enough women out there who have the skills and priorities needed to run a foundation with the sort of goals that Mozilla should have that you *could* fill a roster of around 40 leadership roles with exclusively women and have an excellent foundation, in theory.
But realistically . . . I count 20 women and 21 men on that page; if you exclude the former board members, the women actually have a slight majority (18 to 17). So Mozilla has around 50% women in top leadership roles, and enough total people in leadership roles that this is unlikely to be a chance result or a result of a couple founders knowing each other.
Now, what fraction of power users who are both security-conscious and security-knowledgeable would you guess are women? I’d hesitate to put a definite number on it, but while I’m confident that it’s appreciably greater than zero, I’m also confident that it’s a good deal less than 50%. Given that, just looking at the Mozilla Leadership page doesn’t *prove*, but does give pretty strong prima facie evidence, that at least one of two very undesirable things is true: (1) Mozilla is prioritizing “diversity” over quality when it comes to hiring and/or promotion decisions, and/or (2) Mozilla’s definition of quality is one is not oriented toward security and providing good tools for people with definite, well-defined goals.
I don’t get it.
What do i need now? in uBlock Origin i block CSP reports, block remote fonts and i use uMatrix
Minor performance improvements used as an excuse to sacrifice privacy and extension capabilities, especially adblockers. Sneakily betraying users expectations that their extensions are protecting them. This is the current Mozilla philosophy.
As always Firefox want to copy Chrome but doing it half assedly.
“The same thing happens in Chromium, at least, if they still follow their documented behavior. If multiple extensions modify the same header, there is a conflict, and no matter how we try to resolve that conflict, it will upset someone. Chrome’s documented behavior is “If more than one extension attempts to modify the request, the most recently installed extension wins and all others are ignored” though its actual behavior may differ.”
“AFAIK, the headers are merged to avoid this issue happening there. uBO inserts a CSP in Chromium the same way it does in Firefox, but yet headers are merged in Chromium and not in Firefox, this is why I call it a bug as the merging of headers is something I expected on the contrary.”
“So was breakage of extensions also expected ? Because this only happens in Firefox and not in Chromium and why was this considered expected in the first place if ultimately it breaks extensions ?”
“It’s not a bug. It works as documented and expected. Changing the expected behavior in cases like this is an enhancement.”
Yes, “enhancement” lol
This has nothing to do with the article itself. I would like to steer some attention to the change in “Firefox Settings” almost every time there is an update. Today (I am on Mac) FF changed my settings without asking again. It was in Prereferences – Browsing – recommend features as you browse. Before that I had “Snippets” checked without my input. Wondering whatelse they change without telling you. Shitty browser, but still the best Shit I can find for my browsing.
glad to see more attention being brought to this issue – it is absolutely important that it gets fixed and the fact that Moz has dragged it’s feet on this is absurd
please vote for this bug…
https://bugzilla.mozilla.org/show_bug.cgi?id=1421725
Typo error: The ‘hen’ in ‘hen two or more extensions use CSP injection’ should be ‘When’.
> What is your take on the issue? Too small to fix? Urgent fix necessary?
I like your dry German humor, inciting the readers like that: “too small to fix” … more like should have been addressed 18 months ago, P1
> Mozilla Firefox has an issue right now … The bug was reported to Mozilla some time ago (more than a year ago)
Its been a **known** issue since Nov 2017: The problem is a result of limitations in the new WebExt APIs, so it became more apparent when FF57 landed (and legacy extensions were disabled).
– 1417249 – https://bugzilla.mozilla.org/show_bug.cgi?id=1417249 – got closed down as duplicate of a later bug (1477696), filed by earthlng
– 1421725 – https://bugzilla.mozilla.org/show_bug.cgi?id=1421725 – lodged when 58 was stable, gathering dust
– 1462989 – https://bugzilla.mozilla.org/show_bug.cgi?id=1462989 – lodged by uBlock-user and seems to be the one with the most momentum
– 1477696 – https://bugzilla.mozilla.org/show_bug.cgi?id=1477696 – ^^ the later bug with tumbleweeds and crickets
> The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection
Only maintaining the issue for extensions we recommend. Don’t care about other extensions. For example, NoScript uses a listener on a loop to inject it’s CSP when required, and basically wins out over all others. But we don’t recommend NS.
Wow, thank you!
By the way, typo here:
If there is more than one extension active on a page that uses CPS[sic] injection, only one is used. Imagine the following scenario: you have a content blocker and another extension installed that both use CSP injection.
Small, but thought I’d let you know. Still, thank you for writing this.
I filed it back on May 20th 2018 when I discovered it first and reported in the team discusssions with uBO team, back then I hoped it won’t take months and now a year, but Firefox devs don’t consider this worthy of P1 priority so it’s lost in the graveyard of bugs somewhere on the bugzilla.
Thanks uBlock-user .. keep plugging away … its ONLY been OVER 18+ months since they knew about it (https://bugzilla.mozilla.org/show_bug.cgi?id=1377689#c26) and decided to do not address it and 18 months since Nov 2017 since earthlng reported it ( https://bugzilla.mozilla.org/show_bug.cgi?id=1417249 ) and we all knew about it.
Your bug is the one that at least has a dialog going … https://bugzilla.mozilla.org/show_bug.cgi?id=1462989 .. here’s hoping enough people with a voice get heard on this, since now Martin has done an article – maybe the backlash will spur something
PS: I hate that this has happened, and please note that I’m not fully informed. I do not know what it entails or how complex it is to achieve, or how much performance cost there might be. But I am glad that after 18 months, maybe something will be done
gorhill’s response — https://bugzilla.mozilla.org/show_bug.cgi?id=1462989#c20
Martin asked: “What is your take on the issue? Too small to fix? Urgent fix necessary?â€
Wow! Thanks a lot for this. I had no idea. gHacks always provides essential reading for users of FF and other software.
Gee, do I want ads and trackers when I think I’m blocking them? :) Or do I want to be canvas-fingerprinted when I think I’m blocking it? Or do I want cookies piling up when I think they’re being deleted? :)
What’s my take? Urgent fix necessary, no doubt!
It’s outrageous that Mozilla has let this go on for over one year! And assigning it level two priority shows how much they really care about users’ privacy. But the worst and most inexcusable thing is that Mozilla never fixed it, and never told users! Unbelievable. So Mozilla keeps promoting, and users keep blithely installing, add-ons that may or may not work 100%. And there’s no way for users to ever notice that the add-ons aren’t working. Letting people think they protected when they’re not is inexcusable. Shame on Mozilla!
A fuller list of add-ons which are known to be or which may be affected would be great to have.
Top quality browser, right there :^) lmao
Now this explains why I see people complaining about their adblocker not working. And they happen to be using this particular Chromium alternative. The sad part is that they blame uB0 instead of criticising mozilla’s slapdash programming.
that is perhaps the intention… since in certain ways uBO wipes out the other ones business model…
> The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection for some functionality. The team did a great job analyzing the issue and collecting all the bits and pieces. You may also want to read through the issue description on GitHub for additional information.
>
> You find popular extensions like uBlock Origin, uMatrix, or HTTPS Everywhere on the list as well as others such as Enterprise Policy Generator, Cookie AutoDelete, or Skip Redirect.
Enterprise Policy Generator is not using CSP injection so I don’t know why it was mentioned.
Just to be clear, the wiki page also doesn’t say that. It marks those that do use CSP injection with a red exclamation etc. I think Martin was referring to the entire list – could definitely be worded a bit clearer
Right, made this clearer.
well, Enterprise Policy Generator has nothing to do with CSP / the article at all so it’s still unclear why it’s mentioned in a “Firefox CSP Issue may cause extension conflicts” context. ;-)
The list includes extensions that were tested for CSP injection. Yours is clean, and the inclusion helps users who may wonder whether it is.