Mozilla Firefox has an issue right now that is causing conflicts if multiple extensions are installed that modify CSP headers on visited sites.

CSP, which stands for Content Security Policy, is a security addition that sites may use to detect and mitigate certain attack types such as Cross Site Scripting or data injections.

Browser extensions may use CSP injection to modify headers. The popular content blocker uBlock Origin may use it to block remote fonts from loading on pages visited in the browser, and Canvas Blocker uses it to block data URL pages.

The team behind the Ghacks User JS maintains a list of extensions known to use CSP injection for some functionality. The team did a great job analyzing the issue and collecting all the bits and pieces. You may also want to read through the issue description on GitHub for additional information.

You find popular extensions like uBlock Origin, uMatrix, or HTTPS Everywhere on the list as well as others such as Enterprise Policy Generator, Cookie AutoDelete, or Skip Redirect.

Addendum: only entries with a red exclamation mark use CSP injection.

The issue

If there is more than one extension active on a page that uses CSP injection, only one is used. Imagine the following scenario: you have a content blocker and another extension installed that both use CSP injection.

Only one of those will actually be able to do that, the other won't. In other words, it can happen that some extensions won't work 100% because of the conflict.

when two or more extensions use CSP injection to modify headers on the same page, only one wins. It doesn't matter who: first loaded, first modified - don't care: the fact is only one extension will achieve what it is meant to, the other(s) will fail

Basic example? Content blockers not blocking certain content because another extension got priority.

The issue appears to be Firefox specific at the time. The bug was reported to Mozilla some time ago (more than a year ago) and Mozilla assigned it a priority of 2. P2 issues are not exactly high placed in the development queue and it is unclear if or when the issue will be resolved.

Firefox does not seem to reveal the conflict to the user of the browser, and it is not trivial to find out if an extension does CSP injections (search for content-security-policy in all files of an extension, but first extract it to the local system or use Extension Source Viewer to view it). You may use Notepad++ to search for text in all files, the excellent search tool Everything, or the command line tool findstr.

You may be able to resolve the issue by either a) disabling the functionality in extensions if possible or b) uninstalling add-ons.

Now You: What is your take on the issue? Too small to fix? Urgent fix necessary?

Summary Article Name Firefox CSP Issue may cause extension conflicts Description Mozilla Firefox has an issue right now that is causing conflicts if multiple extensions are installed that modify CSP headers on visited sites. Author Martin Brinkmann Publisher Ghacks Technology News Logo

Advertisement