From 9a75fc9c597919a212047e3d51e9241845f915f6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 13 Mar 2019 15:50:26 +0000 Subject: [PATCH] Updated 4.1 Extensions (markdown) --- 4.1-Extensions.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/4.1-Extensions.md b/4.1-Extensions.md index c2881de..b9f8b4e 100644 --- a/4.1-Extensions.md +++ b/4.1-Extensions.md @@ -4,18 +4,21 @@ Also, see [this sticky issue](https://github.com/ghacksuserjs/ghacks-user.js/iss If you would like to submit a privacy or security related extension to be added to this list, please post the details [here](https://github.com/ghacksuserjs/ghacks-user.js/issues/655) for consideration, thanks. +:exclamation: **CSP**: When multiple extensions use a CSP header injection, **only one wins** and predicting the winner is like [rolling a dice](https://github.com/ghacksuserjs/ghacks-user.js/issues/265#issuecomment-393935989). Also see [#497](https://github.com/ghacksuserjs/ghacks-user.js/issues/497)). **Some** CSP items to be aware of are highlighted below. + ### :small_orange_diamond: Extensions These are all, where applicable, best configured to `deny-all` and whitelist. * [uBlock Origin](https://addons.mozilla.org/firefox/addon/ublock-origin/) ✔ [Privacy](https://github.com/gorhill/uBlock/wiki/Privacy-policy) | [GitHub](https://github.com/gorhill/uBlock) - * Essential if you are not using Mozilla's Tracking Protection and Safe Browsing + * :exclamation: **CSP**: font **rules** use CSP [unsure about font filters] - use Redirector instead * [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) ✔ [Privacy](https://github.com/gorhill/uMatrix/wiki/Privacy-policy) | [GitHub](https://github.com/gorhill/uMatrix) * [Decentraleyes](https://addons.mozilla.org/firefox/addon/decentraleyes/) ✔ [Privacy](https://addons.mozilla.org/firefox/addon/decentraleyes/privacy/) | [GitLab](https://git.synz.io/Synzvato/decentraleyes) | [GitHub Archive](https://github.com/Synzvato/decentraleyes) * :exclamation: uBlock Origin users should add the [following rules](https://git.synz.io/Synzvato/decentraleyes/wikis/Frequently-Asked-Questions) if required * [CSS Exfil Protection](https://addons.mozilla.org/firefox/addon/css-exfil-protection/) | [GitHub](https://github.com/mlgualtieri/CSS-Exfil-Protection) | [Homepage + Test](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester) * [HTTPS Everywhere](https://addons.mozilla.org/firefox/addon/https-everywhere/) ✔ [Privacy](https://www.eff.org/code/privacy/policy) | [GitHub](https://github.com/EFForg/https-everywhere) + * :exclamation: **CSP**: blocking all insecure requests (`httpNowhereOn`) uses CSP * [CanvasBlocker](https://addons.mozilla.org/firefox/addon/canvasblocker/) ✔ [Privacy](https://addons.mozilla.org/firefox/addon/canvasblocker/privacy/) | [GitHub](https://github.com/kkapsner/CanvasBlocker) - * :exclamation: uncheck the option `Misc > Block data URL pages`. When multiple extensions (e.g. uBO, uMatrix etc) use CSP header injection/modification, only one wins. Predicting the winner is like [rolling a dice](https://github.com/ghacksuserjs/ghacks-user.js/issues/265#issuecomment-393935989) (also see [#497](https://github.com/ghacksuserjs/ghacks-user.js/issues/497)) + * :exclamation: **CSP**: `Misc > Block data URL pages` uses CSP * [Smart Referer](https://addons.mozilla.org/firefox/addon/smart-referer/) ✔ [Privacy](https://addons.mozilla.org/firefox/addon/smart-referer/privacy/) | [GitLab](https://gitlab.com/smart-referer/smart-referer) | [GitHub Archive](https://github.com/meh/smart-referer) * [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor) * Allows you to run [Rules](https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor) to modify headers such as blocking ETags