New Update Allowing third party only on high level domains in Firefox with policy content control

Status
Not open for further replies.

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Hi,

In Chrome it is possible to block scripts by default, adding exceptions for specific websites (e.g. https://[*].com allowing scripts from all com domains). Firefox does not have such an option, but by using an firefox add-on Policy Control it is possible to implement similar protection in three simple steps.

1. Install the add-on Policy Control.

2. Change default settings to (see image below) and click on save button.
1541283948307.png

This blocks third-party requests of fonts, plug-ins, javascript (i)frames, XMLHttpRequests and WebSocket and all requests for Ping and CSP reports. CSO reports give site owners a warning when their site contains illegal scripts. This is a benefit for site owners, not surfers so you don;t reduce your security. Also CSP feature is only less than 10% of the websites.

3. Add allow rules for the domains yoy normally surf.

I live in the Netherlands (.nl country level domain) and normally only visit websites with com, net, org and inf domains. With this restriction I reduce the attack surface while surfing with 60% (when you look at origin of malware). By allowing all stuff from those websites the functional impact of malfunctioning websites is near zero.
1541284417146.png

When you live in Germany you could change https://*.nl to https://*.de or add other german speaking countries like Switzerland and Austria (replace https://*nl with https://*.de, https://*.ch, https://*.at) or when you live in the UK, replace https://*.nl with https://*.co.uk or when you want to add Australia and New Zealand (with https://*.co.uk, https://*.co.au, https://*.co.nz).
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@DeepWeb : Policy Control is also available as Chrome extension

A more privacy aware setting. Besides security hassle requests to fonts could track visitors (but there are easier ways to track visitors, so personally I find it a bit far fetched). Beacons are listed as other, so in stead allowing other for all high level domains, obe could also simply block them (no idea about the functional impact).

More privacy aware Policy Control settings (blocking third party 'other' = beacons also)
1541326827484.png


And more privacy aware global allow options:
==> https://fonts.*.com (domain with wildcard) applies to fonts.gstatic.com and fonts.google.com
==> r:.*awesome.* (regular expression containing "awesome") to allow any request to font-awesome

1541369234331.png
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top