Removing CSP and frame options headers?

Add-ons addons.mozilla.org
#1

The extension YouTube Downloader v1.2 updated 2 days ago and users are reporting new security software detections. The main change in the background script is the addition of the following. It seems to remove various protective headers in the response. There doesn’t seem to be a change log entry explaining why this is necessary for video downloading. Does it seem sketchy to anyone else?

chrome.webRequest.onHeadersReceived.addListener(
	function (t) {
	  return {
		responseHeaders: t.responseHeaders.filter(function (t) {
		  return "content-security-policy" !== t.name.toLowerCase() && "frame-options" !== t.name.toLowerCase() && "x-frame-options" !== t.name.toLowerCase()
		})
	  };
	}, {
	  urls: ["<all_urls>"],
	  types: ["main_frame", "sub_frame"]
	}, ["blocking", "responseHeaders"]
  );

The other notable change was adding a sizzle.js file with this header:

/*!
 * Sizzle CSS Selector Engine v1.1.2
 * https://sizzlejs.com/

This doesn’t appear to be a standard version?

Could be related to this one discussed a year ago: https://www.reddit.com/r/firefox/comments/8jcubq/is_it_ok_for_addon_with_47k_users_to_inject/dyyox4v/

#2

Removing those headers allows you to load any page inside an “iframe” on your addon page or any other page (if allowed by target page). But I can’t say if that can be used for something malicious.
However I would say this is 100% not OK if it’s active for all tabs all the time. This should be limited for a specific “tabId” which is not used in the code you’ve posted.

Maybe contact author directly.

#3

Thanks @jscher2000, we’re looking into it.

1 Like