Web lists-archives.com

Re: userChrome.css will not be supported indefinitely




My bloviated meandering follows what B00ze graced us with on 1/31/2018 7:11 PM:
On 2018-01-31 11:34, WaltS48 <WaltS48@xxxxxxxxxxxxxxxxx> wrote:

On 1/31/18 11:11 AM, Caver1 wrote:
On 01/31/2018 10:11 AM, WaltS48 wrote:
On 1/31/18 9:53 AM, Ed Mullen wrote:
On 1/30/2018 at 2:30 PM, WaltS48 created this epitome of digital
genius:
On 1/30/18 2:22 PM, Ed Mullen wrote:
On 1/30/2018 at 2:17 PM, WaltS48 created this epitome of digital
genius:
On 1/30/18 2:01 PM, Wolf K wrote:
On 2018-01-30 13:06, Ed Mullen wrote:
On 1/30/2018 at 1:01 PM, Caver1 created this epitome of digital
genius:
"The functionality of userChrome.css will not be supported,
for the same reasons that we removed support for legacy themes."
https://bugzilla.mozilla.org/show_bug.cgi?id=1431962

I just uttered language I cannot post here.

I bet I had the same thoughts.

So, you all want somebody to hack into your userContent.css, or
userChrome.ccs files and hijack your Firefox.

Okay.

Oh, c'mon!  Just how are they going to do that?

The same way they could with Complete Themes I guess.

Hack into your computer, edit the files and save them. Or maybe
completely replace them.

The next time you open Firefox, it doesn't look like you last used it.

"Hack into your computer ..." is the key to why there is little to
worry about concerning this. How's someone going to hack into my PC
by my visiting a web site?  Pure FUD.

Really?

https://www.bleepingcomputer.com/news/security/mozilla-fixes-severe-flaw-in-firefox-ui-that-leads-to-remote-code-execution/

"Mozilla has released Firefox 58.0.1 to fix a security issue that was
hiding in the browser's UI code and would have allowed an attacker to
run code on the user's computer, allowing a quick and easy path to
delivering malware or even taking over the entire PC."

And this has something to do with .css?

Not a thing, other than a security issue that could be hiding in the
browser's UI code that allows an attacker to run code on the user's
computer allowing a quick and easy path to the .css files.

I'll concede to being the most stupid  idiot here.

Walt is right. I -LIKE- userChrome, but it is probably a small vulnerability; some whizkid can probably find a way to mess with you using it. Some bad addOns were recently discovered, for example, that were intercepting about:addOns to prevent you from removing them. They might be able to use userChrome to do something similar, like hiding the "remove" buttons inside the about:addOns page...

Again, userChrome.css ONLY contains style changes, NOT code. That means that USERs can affect text (font colors, sizes, decorations, &c), images (replacing, resizing, orientation, &c), add text & images using css pseudo-properties, &c. However, the USER cannot effect the execution of the UI elements. For that to happen, it would need to allow for CODE changes (which it doesn't) using Javascript or some other means.

Furthermore, a bad player would need to gain access to the USERs Fx profile and if they were able to do that, they could easily add corrupted add-ons which would do real harm.

Additionally, bookmarklets, that do allow for Javacript code, poses more of a threat than userChrome.css.

Unless someone can provide a detail example of how a CSS file can introduce a vuln, I'm calling this #FUD.

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/z86x3sg
_______________________________________________
general mailing list
general@xxxxxxxxxxxxxxxxx
https://lists.mozilla.org/listinfo/general