A missing and important #security feature for : add a per-subscription option for whether each subscription is allowed to use trusted filters, and make it default to unchecked for all

cm0002M to

uBlockOrigin@programming.devEnglish · 3 months ago

A missing and important #security feature for @ublockorigin: add a per-subscription option for whether each subscription is allowed to use trusted filters, and make it default to unchecked for all non-default subscriptions. As it stands malicious compromise of any filter subscription allows arbitrary code injection into any or every page, using, for example, trusted-replace-node-text on any script element. It’s the same #supplyChain threat model as malicious Python/Ruby/Node/R/etc. packages or malicious VS Code or browser extensions.

#uBlockOrigin #supplyChainSecurity #supplyChainAttack

You must log in or # to comment.

Chat