Can we please include the fixed Bug 863246

dark_moon · Unread post by **dark_moon** » 2017-09-03, 17:53

With Firefox 57 bug #863246 is fixed.
Would be nice if Pale Moon include that too.

See:
# https://www.bleepingcomputer.com/news/s ... n-systems/
# https://www.ghacks.net/2017/08/30/firef ... -internet/

Unread post by **satrow** » 2017-09-03, 18:48

I've not waded through the Bugzilla details but both of the other links refer to WebExtensions as being the problem (and was first detected in Chrome?), assuming that's correct it's n/a to Pale Moon.

Unread post by **adesh** » 2017-09-03, 19:02

Yes, this is N/A for Pale Moon, stated by Moonchild in Issue #1327

Unread post by **Moonchild** » 2017-09-03, 20:10

As far as resource:// "leaks" is concerned, no matter what kind of barrier is installed like in that BMO bug, any extension that needs resources from itself accessible to content-injected elements can still be detected by web pages, because it's not possible to make a distinction between native page scripts and injected extension scripts.
Even so, none of this will disclose any private information, since only static information will ever be available from resource:// URIs.

Also, the barrier installed in that bug precludes the use of "legacy" extensions that need this access, which is exactly why it won't be introduced in Firefox until 57.

joe04 · Unread post by **joe04** » 2017-09-03, 23:20

Moonchild wrote:As far as resource:// "leaks" is concerned, no matter what kind of barrier is installed like in that BMO bug, any extension that needs resources from itself accessible to content-injected elements can still be detected by web pages, because it's not possible to make a distinction between native page scripts and injected extension scripts.
Even so, none of this will disclose any private information, since only static information will ever be available from resource:// URIs.

Thanks for clarifying that. Could you list what exactly the static information is? I tried searching but didn't find anything.

Unread post by **Moonchild** » 2017-09-03, 23:38

Static information being parts of the extension itself, never user data.

dark_moon · Unread post by **dark_moon** » 2017-09-07, 19:43

Thanks!

With NoScript we can block websites using resource://

Add that as strings in about:config:

Code: Select all

noscript.surrogate.noplugin.exceptions	<EMPTY>
noscript.surrogate.noplugin.replacement	Object.defineProperty(navigator, "plugins", {value: []});
noscript.surrogate.noplugin.sources	@^https?://

Testsite: https://browserleaks.com/firefox

Only the Default Locale can be displayed with that NoScript feature.

Unread post by **Moonchild** » 2017-09-07, 21:14

Um, pale moon 27.4.2 already only shows the locale out of the box on that test site

NoScript has no part in it.

dark_moon · Unread post by **dark_moon** » 2017-09-08, 06:43

Youre right

The thread can be closed

Pale Moon forum

Can we please include the fixed Bug 863246

Can we please include the fixed Bug 863246

Re: Can we please include the fixed Bug 863246

Re: Can we please include the fixed Bug 863246

Re: Can we please include the fixed Bug 863246

Re: Can we please include the fixed Bug 863246

Re: Can we please include the fixed Bug 863246

Re: Can we please include the fixed Bug 863246

Re: Can we please include the fixed Bug 863246

Re: Can we please include the fixed Bug 863246