Firefox: CSS Exfil Protection fails while using NoScript or JShelter

[gur-helios]

Hi all

In Firefox 97.0.1 for desktop and Firefox Nightly 99.0a for Android, the CSS Exfil Protection addon fails if either NoScript or JShelter is enabled. Disabling them solves the issue and the the test passes. CSS Exfil Protection Tester

I've also checked it out with Microsoft Edge and NoScript enabled and there is no issue so far. Everything works fine with both CSS Exfil Protection and NoScript addons enabled.

Best wishes

[mlgualtieri]

Thanks for the report! I also got your contact form emails :-) Simple reason No Script will make the vulnerability tester fail, it requires JavaScript to make the check.

From the FAQ:

Q: If the vulnerability doesn't involve JavaScript, why does the vulnerability tester require JavaScript?

A: While the CSS Exfil attack doesn't require JavaScript to function, this page requires a few lines of JavaScript to check to see if the exploit succeeded in loading the images.

[gur-helios]

Hi Mike

Yes, I do know. ;) I've made some tests and it seems that some other addons I also have installed are interacting in a bad manner with the CSS Exfil Protection addon so far. Sometimes the test passes, sometimes it doesn't. Will see if I find the culprits. :)

Here is the list of my installed addons: https://addons.mozilla.org/en-US/android/collections/5897684/Collection-1/

Best wishes

[mlgualtieri]

OK! Just wanted to rule that out. I will take a look and see if I can determine the reason behind the conflict and if I can do anything about it in the plugin.

[gur-helios]

Hi Mike

I've made some tests again with a clean Firefox installation (v97.0.2) and only with the two add-ons "CSS Exfil Protection" and "NoScript" installed and enabled. Sometimes, the test passes, sometimes it doesn't by refreshing the "CSS Exfil Vulnerability Tester" website. It's a highly strange behavior. The test always passes when NoScript is disabled (screenshot 3).

I've made three screenshots for you.