← Back to context

Comment by jsheard

5 hours ago

Firefox already mitigates this by randomizing the extension path: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

    The file is then available using a URL like: moz-extension://<extension-UUID>/images/my-image.png"
    <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance.
    This prevents websites from fingerprinting a browser by examining the extensions it has installed.

2 comments

jsheard

Reply
zahlman  5 hours ago

Doesn't the browser know which script it's running?

Why can't it just deny access to the specified path, except to the extension itself?

  • cxr  4 hours ago

    It does by default, except for the files from the extension that the extension author has explicitly designated as content-accessible. It's explained ("Using web_accessible_resources") at the other end of the link.