Can we please include the fixed Bug 863246
Can we please include the fixed Bug 863246
With Firefox 57 bug #863246 is fixed.
Would be nice if Pale Moon include that too.
See:
# https://www.bleepingcomputer.com/news/s ... n-systems/
# https://www.ghacks.net/2017/08/30/firef ... -internet/
Would be nice if Pale Moon include that too.
See:
# https://www.bleepingcomputer.com/news/s ... n-systems/
# https://www.ghacks.net/2017/08/30/firef ... -internet/
Re: Can we please include the fixed Bug 863246
I've not waded through the Bugzilla details but both of the other links refer to WebExtensions as being the problem (and was first detected in Chrome?), assuming that's correct it's n/a to Pale Moon.
Re: Can we please include the fixed Bug 863246
Yes, this is N/A for Pale Moon, stated by Moonchild in Issue #1327
Re: Can we please include the fixed Bug 863246
As far as resource:// "leaks" is concerned, no matter what kind of barrier is installed like in that BMO bug, any extension that needs resources from itself accessible to content-injected elements can still be detected by web pages, because it's not possible to make a distinction between native page scripts and injected extension scripts.
Even so, none of this will disclose any private information, since only static information will ever be available from resource:// URIs.
Also, the barrier installed in that bug precludes the use of "legacy" extensions that need this access, which is exactly why it won't be introduced in Firefox until 57.
Even so, none of this will disclose any private information, since only static information will ever be available from resource:// URIs.
Also, the barrier installed in that bug precludes the use of "legacy" extensions that need this access, which is exactly why it won't be introduced in Firefox until 57.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Can we please include the fixed Bug 863246
Thanks for clarifying that. Could you list what exactly the static information is? I tried searching but didn't find anything.Moonchild wrote:As far as resource:// "leaks" is concerned, no matter what kind of barrier is installed like in that BMO bug, any extension that needs resources from itself accessible to content-injected elements can still be detected by web pages, because it's not possible to make a distinction between native page scripts and injected extension scripts.
Even so, none of this will disclose any private information, since only static information will ever be available from resource:// URIs.
Re: Can we please include the fixed Bug 863246
Static information being parts of the extension itself, never user data.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Can we please include the fixed Bug 863246
Thanks!
With NoScript we can block websites using resource://
Add that as strings in about:config:
Testsite: https://browserleaks.com/firefox
Only the Default Locale can be displayed with that NoScript feature.
With NoScript we can block websites using resource://
Add that as strings in about:config:
Code: Select all
noscript.surrogate.noplugin.exceptions <EMPTY>
noscript.surrogate.noplugin.replacement Object.defineProperty(navigator, "plugins", {value: []});
noscript.surrogate.noplugin.sources @^https?://
Only the Default Locale can be displayed with that NoScript feature.
Re: Can we please include the fixed Bug 863246
Um, pale moon 27.4.2 already only shows the locale out of the box on that test site NoScript has no part in it.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite