Firefox 68 — any changes affecting CSRF capabilities?

My Ubuntu 18 system did an upgrade to Firefox 68 (presumably from 67.x).

I have a simple XSRF demo that I use for class — the demo is extremely simple: I have a login program that sets a sessionid cookie once there is a successful login. To simplify the demo, the cookie is set with a hardcoded value.

Then, I have an “add user” server app (a plain’old CGI program) that is intended to add the user only of there is a log in — that is, if the sessionid cookie contains the expected (hardcoded) value. The program simply checks:

if (cookie["sessionid"] == "the-hardcoded-value") {     // execute SQL: insert into users values ........ } 

Then, I have a third page (on a separate domain) that just has an embedded img tag that looks like this:

<img src="https://mydomain.com/cgi-bin/add_user.cgi?username=AddedViaXSRF" /> 

(the img shows as a little empty square on the displayed HTML page)

The thing worked like a charm….. until this morning. It just won’t work with Firefox 68. I check the server logs (the “add user” program logs the requests that it receives, including the cookies) — it is not receiving the sessionid cookie even though I see, via the menu Web developer → Storage Inspector, that the cookie has been set in the browser. I also checked: the sameSite attribute is not set (httpOnly is, because the login program sets it).

The demo still works with Firefox 61 (I tried from a virtual machine — two, actually: a Windows 7 with FF 61, and also an unpatched Ubuntu 18.04.1 that happens to also have FF 61). But I’m fairly certain that it was also working on FF 67.x (I had tried the demo a couple days ago, in preparation for today’s class where I showed the demo).

Is it really some change in FF 68 that’s preventing this simple “classic” img-based CSRF attack from succeeding? (if so, what is the change? I can’t see anything remotely close to related in the list of security fixes for FF 68)

[[EDIT]]: I just tried with FF 65 (a “live booted” Ubuntu 18.04.2 system), and the demo works without a glitch (i.e., the XSRF attack succeeds in adding a user to the table).

Error al empaquetar extensión Firefox

Estoy intentando empaquetar una extensión Firefox que desarrollé pero al intentar instalarla me dice: Este complemento no ha podido ser instalado porque parece que está dañado. Ya he probado con Firefox Quantum y con la versión Nightly a ver si las veriones tenian algo que ver pero nada, he seguido las instrucciones de MDN y tampoco, lo hago al pie de la letra, selecciono los archivos mas no la carpeta, lo comprimo en formato .ZIP y luego le cambio la extensión a .XPI

Tambien he seguido todas las instrucciones del Siguiente Hilo del Foro en Ingles, aún nada, he probado realizar la compresión con 7-Zip que he leído que es más recomendable, tampoco, y bueno, cabe aclarar que con Winrar tambien he intentado. No creo que el problema sea con la extensión porque funciona perfectamente cuando la pruebo en el modo depuración. Dejo mi arbol de directorios por si sirve de algo.

CARPETA_DE_LA_EXTENSIÓN ├───content │   ├───info.html │   └───popup.html ├───images │   ├───baricon.png │   ├───icono128.png │   ├───icono16.png │   └───icono48.png ├───js │   └───myjs.js ├───style │   ├───css.css │   └───materialize.css ├───background.js └───manifest.json 

Java + Selenium + FireFox – Alerta: Potencial risco de segurança à frente

Ola, sou novo com Java + Selenium, e ai tentar fazer uma automação, me deparei com um Link que não acessa direto. (OBS: se eu abro o navegador e jogo a URL, acessa normalmente) Porém durante execução da aplicação, é exibido o seguinte erro no navegador: Falha1 Falha2

================================================================== No eclipse é exibido o seguinte e.printStackTrace();

Build info: version: ‘3.5.3’, revision: ‘a88d25fe6b’, time: ‘2017-08-29T12:42:44.417Z’ System info: host: ‘XXXXXXXXXXXX’, ip: ‘XXX.XX.XXX.XX’, os.name: ‘Windows 10’, os.arch: ‘amd64’, os.version: ‘10.0’, java.version: ‘1.8.0_211’ Driver info: org.openqa.selenium.firefox.FirefoxDriver Capabilities [{moz:profile=C:\Users\plongo\AppData\Local\Temp\rust_mozprofile.SZ82cVMM6alm, rotatable=false, moz:geckodriverVersion=0.24.0, timeouts={implicit=0, pageLoad=300000, script=30000}, pageLoadStrategy=normal, unhandledPromptBehavior=dismiss and notify, strictFileInteractability=false, moz:headless=false, platform=XP, moz:accessibilityChecks=false, moz:useNonSpecCompliantPointerOrigin=false, acceptInsecureCerts=false, browserVersion=67.0.1, moz:shutdownTimeout=60000, platformVersion=10.0, moz:processID=10732, browserName=firefox, moz:buildID=20190529130856, javascriptEnabled=true, platformName=XP, setWindowRect=true, moz:webdriverClick=true}] Session ID: 704d6de3-47a4-49be-9669-27245af574aa at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.openqa.selenium.remote.http.W3CHttpResponseCodec.createException(W3CHttpResponseCodec.java:185) at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:120) at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:49) at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:164) at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:82) at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:646) at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:370) at controler.Navegador.abrirNavegador(Navegador.java:42) at model.DocumentoR.inicioDocR(DocumentoR.java:23) at view.TelaPrincipal$ 7.actionPerformed(TelaPrincipal.java:199) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) at javax.swing.AbstractButton$ Handler.actionPerformed(AbstractButton.java:2348) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) at java.awt.Component.processMouseEvent(Component.java:6539) at javax.swing.JComponent.processMouseEvent(JComponent.java:3324) at java.awt.Component.processEvent(Component.java:6304) at java.awt.Container.processEvent(Container.java:2239) at java.awt.Component.dispatchEventImpl(Component.java:4889) at java.awt.Container.dispatchEventImpl(Container.java:2297) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4535) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4476) at java.awt.Container.dispatchEventImpl(Container.java:2283) at java.awt.Window.dispatchEventImpl(Window.java:2746) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760) at java.awt.EventQueue.access$ 500(EventQueue.java:97) at java.awt.EventQueue$ 3.run(EventQueue.java:709) at java.awt.EventQueue$ 3.run(EventQueue.java:703) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$ JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.security.ProtectionDomain$ JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:84) at java.awt.EventQueue$ 4.run(EventQueue.java:733) at java.awt.EventQueue$ 4.run(EventQueue.java:731) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$ JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.awt.EventQueue.dispatchEvent(EventQueue.java:730) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82) java.lang.NullPointerException at model.DocumentoR.inicioDocR(DocumentoR.java:31) at view.TelaPrincipal$ 7.actionPerformed(TelaPrincipal.java:199) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) at javax.swing.AbstractButton$ Handler.actionPerformed(AbstractButton.java:2348) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) at java.awt.Component.processMouseEvent(Component.java:6539) at javax.swing.JComponent.processMouseEvent(JComponent.java:3324) at java.awt.Component.processEvent(Component.java:6304) at java.awt.Container.processEvent(Container.java:2239) at java.awt.Component.dispatchEventImpl(Component.java:4889) at java.awt.Container.dispatchEventImpl(Container.java:2297) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4904) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4535) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4476) at java.awt.Container.dispatchEventImpl(Container.java:2283) at java.awt.Window.dispatchEventImpl(Window.java:2746) at java.awt.Component.dispatchEvent(Component.java:4711) at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:760) at java.awt.EventQueue.access$ 500(EventQueue.java:97) at java.awt.EventQueue$ 3.run(EventQueue.java:709) at java.awt.EventQueue$ 3.run(EventQueue.java:703) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$ JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.security.ProtectionDomain$ JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:84) at java.awt.EventQueue$ 4.run(EventQueue.java:733) at java.awt.EventQueue$ 4.run(EventQueue.java:731) at java.security.AccessController.doPrivileged(Native Method) at java.security.ProtectionDomain$ JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74) at java.awt.EventQueue.dispatchEvent(EventQueue.java:730) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

==================================================================

Pelo que eu entendi, ele cai em uma regra de Certificação de Dominios do proprio Java ou do Selenium. Não tem como automatizar o click em “Avançado” e “Continuar mesmo assim” pois a exceção é lançada assim que ele tenta o acesso á URL logo no método driver.get(“”); Tentei fazer ele navegar pelo site e clicar no link que leva para essa URL e é exibido o mesmo erro!

(Só lembrando que diretamente pelo navegador eu acesso normalmente, não cai nessa tela de Alerta) Não testei em outro navegador, pois para este projeto preciso utilizar o FireFox.

Como eu posso liberar esse site para que o Java + Selenium acesse? Alguem poderia ajudar?

URL: https://www4.trf5.jus.br/intimacoesEletronicasSecoes/

Плагин OnePage-Scroll. Не работает модал скрол в Firefox и Safari. Chrome отрабатывает отлично

Делаю проект. Не могу его опубликовать, но суть проблемы выложил в примере.

https://notify.panda-code.ru/demo.html

Это демка плагина постраничной навигации + элемент .test

со стилями

      position: absolute;       top: 0;       overflow-y: scroll;       height: 100%;       z-index: 3;       width: 50%;       background: #fff;

Голову ломаю уже какой день. Вообщем. Скролл внутри этого окна работает в Chrome, но не работает в Firefox и Safari. Дело в плагине. Без него работает. Помогите как хотя бы этот момент продебажить.

I can’t plugin java on firefox on Ubuntu 19.04

I’ve recently installed Ubuntu 19.04, I’m a new user of Ubuntu. I need use a VPN to access my work-internet, I have’t the vpn client, but I can use firefox to login my vpn. The vpn need use jdk, so I installed openJDK 8.0, But I can’t plug java in firefox, anytime I followed some tour of plugin jdk, I always can’t solve it ,can anyone give me a hand? It’s urgent.

How to kill Firefox without unplug power if even ‘sudo kill -9’ can’t?

This question may look similar to this or this one but the difference here is that the process in question is Firefox, i.e. it is under user space and it is not related to mounting stuff.

In my case the rest of the system was responsive, only Firefox got halted.

What else could stop sudo kill -9 to work and how could I go back to a healthy environment without physical unplugging the power (even reboot didn’t work) ?

Firefox Developer Edition [and others] not opening in macOS Catalina

Ok… tell me it’s not just me, when I launch Firefox Developer Edition [68.0b13] in macOS Catalina [beta 2] I get the error message that it can’t open because it’s from an unidentified developer.

So, I try to go to the file in Application and right-click open and confirm that I want to open. The base program opens but there is an updater sequence that Firefox tries to open that hits the same wall as before.

I’ve even gone to Security and Privacy and told it to open anyway. Still nothing.

Does anyone know how to overcome this and get FDE to launch or am I just screwed until Apple and Mozilla figure their stuff out?