We're about to enable a Content Security Policy (CSP) on bugzilla.mozilla.org. CSP will mitigate several types of attack on our users and our site, including Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS).

The first place we're deploying this is in the bug detail page in the new Modal view (which, you may recall, we're making the default view) with a goal for the site to have complete CSP coverage.

As a side-effect of this work, CSP may break add-ons that modify the bug detail page. If we have broken something of yours, we can quickly fix it. We're already enabling the Socorro Lens add-on. You can see how that was addressed.

WebExtensions can modify the DOM of a bug detail page through content.js . Add-ons and WebExtentions will not be able to load resources from third parties into the bug detail page unless we make an exception for you.

Long term, if you have a feature from an add-on you'd like to make part of BMO, please seek me out on irc://irc.mozilla.org/bteam or open a new ticket in the bugzilla.mozilla.org product in Bugzilla and set the severity to 'enhancement'.

ETA: clarify what an add-on or WebExtension is allowed to do. Thanks to the WebExtensions team for answering questions on IRC tonight. Also, a CSP does not block CSRF. See the comments.