Open EchoDev opened 4 years ago
@EchoDev Whats your browser and it's version ? (cannot duplicate the bug)
@aelisya Yesterday I was on FF79 and I just upgraded to FF80. Same issue on both.
i update firefox and i check that ^^
with a fresh version of firefox 80 and no other extension no problem on my side (what extension do you use ? (just in case one extension isn't compatible with the news internal function))
I think CanvasBlocker is the issue. Turning CanvasBlocker off makes the issue go away. Turning it back on causes the cross-domain CSS to bug out again.
Thanks for the update! I'll need to test it with CanvasBlocker. The issue could be with the "load blocking CSS" loading too slow. This would cause the exfil data to leak, but also would sanitize it after that leak.
Cross domain CSS shows as vulnerable on first load. I'm not able to reproduce this consistently. Best way to reproduce this is by click on a link and open up the page in a new tab.
https://i.imgur.com/FK5KRFp.png
After an F5 everything is fine again. Weirdly enough the addon says there are 4 elements detected so it does detect the 4 sheets.
Steps to reproduce in some cases:
Expected result: Page shows browser is not vulnerable
Actual result: Page says browser is vulnerable for cross domain CSS
Console log:
Not Vulnerable Test: 1 Vulnerable Test: 2 Not Vulnerable Test: 3 Vulnerable Test: 4
Tested on Firefox 79 and 80