mlgualtieri / CSS-Exfil-Protection

Official repository for the CSS Exfil Protection browser extensions.
MIT License
155 stars 11 forks source link

Firefox: CSS Exfil Protection fails while using NoScript or JShelter #38

Open gur-helios opened 2 years ago

gur-helios commented 2 years ago

Hi all

In Firefox 97.0.1 for desktop and Firefox Nightly 99.0a for Android, the CSS Exfil Protection addon fails if either NoScript or JShelter is enabled. Disabling them solves the issue and the the test passes. CSS Exfil Protection Tester

I've also checked it out with Microsoft Edge and NoScript enabled and there is no issue so far. Everything works fine with both CSS Exfil Protection and NoScript addons enabled.

Best wishes

mlgualtieri commented 2 years ago

Thanks for the report! I also got your contact form emails :-) Simple reason No Script will make the vulnerability tester fail, it requires JavaScript to make the check.

From the FAQ:

Q: If the vulnerability doesn't involve JavaScript, why does the vulnerability tester require JavaScript?

A: While the CSS Exfil attack doesn't require JavaScript to function, this page requires a few lines of JavaScript to check to see if the exploit succeeded in loading the images.
gur-helios commented 2 years ago

Hi Mike

Yes, I do know. ;) I've made some tests and it seems that some other addons I also have installed are interacting in a bad manner with the CSS Exfil Protection addon so far. Sometimes the test passes, sometimes it doesn't. Will see if I find the culprits. :)

Here is the list of my installed addons: https://addons.mozilla.org/en-US/android/collections/5897684/Collection-1/

Best wishes

mlgualtieri commented 2 years ago

OK! Just wanted to rule that out. I will take a look and see if I can determine the reason behind the conflict and if I can do anything about it in the plugin.

gur-helios commented 2 years ago

Hi Mike

I've made some tests again with a clean Firefox installation (v97.0.2) and only with the two add-ons "CSS Exfil Protection" and "NoScript" installed and enabled. Sometimes, the test passes, sometimes it doesn't by refreshing the "CSS Exfil Vulnerability Tester" website. It's a highly strange behavior. The test always passes when NoScript is disabled (screenshot 3).

I've made three screenshots for you.

Screenshot 2022-03-06 235100 Screenshot 2022-03-06 235131 Screenshot 2022-03-06 235207