Skip to content

Instantly share code, notes, and snippets.

View mozfreddyb's full-sized avatar

Frederik Braun mozfreddyb

99 followers · 0 following
View GitHub Profile
@mozfreddyb
mozfreddyb / make-ni-uri.py
Created September 29, 2014 09:22
Computes the sha256 digest of the given file names and prints them in a ni URL.
#!/usr/bin/env python
from sys import argv
import hashlib
from base64 import urlsafe_b64encode
from mimetypes import guess_type
from os.path import basename
def get_mimetype(filename):
mt = guess_type(filename)[0]
@mozfreddyb
mozfreddyb / cpow-valence
Created February 27, 2015 08:53
time time in CPOWs name
2154860μs 0μs Firefox Developer Tools Adapters
117456μs 0μs [System Principal], file:///home/freddy/.mozilla/firefox/4bvglb2b.nightly-chrome-debugger/extensions/fxdevtools-adapters@mozilla.org/bootstrap.js (from: resource://gre/modules/addons/XPIProvider.jsm:4322)
517796μs 0μs [System Principal], resource://gre/modules/commonjs/sdk/addon/runner.js (from: resource://gre/modules/commonjs/toolkit/loader.js:241)
19288μs 0μs [System Principal], resource://gre/modules/commonjs/sdk/self.js (from: resource://gre/modules/commonjs/toolkit/loader.js:241)
4401μs 0μs [System Principal], resource://gre/modules/commonjs/sdk/preferences/service.js (from: resource://gre/modules/commonjs/toolkit/loader.js:241)
12029μs 0μs [System Principal], resource://gre/modules/commonjs/sdk/net/url.js (from: resource://gre/modules/commonjs/toolkit/loader.js:241)
2035μs 0μs [System Principal], resource://gre/modules/commonjs/sdk/core/promise.js (from: resource://gre/modules/commonjs/toolkit/loader.js:241)
@mozfreddyb
mozfreddyb / fix-unsanitized-violations.js
Last active June 2, 2017 18:29
doesnt fix, but comment-out violations to a specific eslint rule
#!/usr/bin/env nodejs
var fs = require('fs');
var vobj;
const DISABLE_NEXT_LINE = "// eslint-disable-next-line ";
fs.readFile('build/gecko/inline-violations.json', 'utf8', function (err, data) {
if (err) throw err; // we'll not consider error handling for now
@mozfreddyb
mozfreddyb / export-passwords.js
Created April 16, 2018 10:51
// for use within chrome://passwordmgr/content/passwordManager.xul
// this is the title of the CSV data
var csv = `"hostname", "username", "password"`;
// the signons variable already exists when the document is loaded.
// looping through all entries, called e.
for (var e of signons) {
// JSON.stringify properly adds quotes, regardless of what characters the entries.
// so for every entry, take e.hostname, e.username, e.passwowrd and turn them into a quoted string
@mozfreddyb
mozfreddyb / log.txt
Created December 10, 2018 08:33
content security data for a top level URL load
[Child 10890: Main Thread]: D/CSMLog doContentSecurityCheck {
[Child 10890: Main Thread]: D/CSMLog channelURI: http://example.com/
[Child 10890: Main Thread]: D/CSMLog HTTP Method: GET
[Child 10890: Main Thread]: D/CSMLog loadingPrincipal: nullptr
[Child 10890: Main Thread]: D/CSMLog triggeringPrincipal: SystemPrincipal
[Child 10890: Main Thread]: D/CSMLog principalToInherit: NullPrincipal
[Child 10890: Main Thread]: D/CSMLog RedirectChain:
[Child 10890: Main Thread]: D/CSMLog internalContentPolicyType: 6
[Child 10890: Main Thread]: D/CSMLog externalContentPolicyType: 6
[Child 10890: Main Thread]: D/CSMLog upgradeInsecureRequests: false
@mozfreddyb
mozfreddyb / log.txt
Created December 10, 2018 08:34
content security data for a top level about:blank load
[Child 10890: Main Thread]: D/CSMLog doContentSecurityCheck {
[Child 10890: Main Thread]: D/CSMLog channelURI: about:blank
[Child 10890: Main Thread]: D/CSMLog loadingPrincipal: nullptr
[Child 10890: Main Thread]: D/CSMLog triggeringPrincipal: SystemPrincipal
[Child 10890: Main Thread]: D/CSMLog principalToInherit: NullPrincipal
[Child 10890: Main Thread]: D/CSMLog RedirectChain:
[Child 10890: Main Thread]: D/CSMLog internalContentPolicyType: 6
[Child 10890: Main Thread]: D/CSMLog externalContentPolicyType: 6
[Child 10890: Main Thread]: D/CSMLog upgradeInsecureRequests: false
[Child 10890: Main Thread]: D/CSMLog initalSecurityChecksDone: false
@mozfreddyb
mozfreddyb / log.txt
Created December 10, 2018 08:36
content security data for top level load of about:addons (plus some extra in between
[Parent 10611: Main Thread]: D/CSMLog doContentSecurityCheck {
[Parent 10611: Main Thread]: D/CSMLog channelURI: about:addons
[Parent 10611: Main Thread]: D/CSMLog loadingPrincipal: nullptr
[Parent 10611: Main Thread]: D/CSMLog triggeringPrincipal: SystemPrincipal
[Parent 10611: Main Thread]: D/CSMLog principalToInherit: NullPrincipal
[Parent 10611: Main Thread]: D/CSMLog RedirectChain:
[Parent 10611: Main Thread]: D/CSMLog internalContentPolicyType: 6
[Parent 10611: Main Thread]: D/CSMLog externalContentPolicyType: 6
[Parent 10611: Main Thread]: D/CSMLog upgradeInsecureRequests: false
@mozfreddyb
mozfreddyb / weekly_release.py
Created August 14, 2019 14:02 — forked from alicegoldfuss/weekly_release.py
Weekly Release Script
#!/usr/local/bin/python3
import requests
import json
from twilio.rest import Client
HEADERS = {'Accept': 'application/vnd.github.inertia-preview+json'}
GH_TOKEN = "XXX" # Your auth token from https://github.com/settings/tokens
TW_SID = "XXX" # Your Account SID from twilio.com/console
TW_TOKEN = "XXX" # Your Auth Token from twilio.com/console
@mozfreddyb
mozfreddyb / innerhtml-hook.js
Last active November 6, 2019 08:55
inspect assignments to innerHTML
/* inject via
ppmm.loadFrameScript("data:,<js source>", true);
(where ppmm is the message manager, e.g. in shell.js)
framescript documentation explains why this works[1] and
the message manager docs[2] explain that the parent process
manager defined as ppmm in shell.js[3] can be used.
[1] https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Frame_script_loading_and_lifetime
@mozfreddyb
mozfreddyb / principals-reference.md
Last active August 3, 2020 11:29
reference sheet for principals in mozilla code

Reference Sheet for Principals in Mozilla Code

Note: This is the "reference sheet" version. The details and the big picture are covered in Understanding Web Security Checks in Firefox (Part 1).

Principals as a level of privilege

A security context is always using one of these four kinds of Principals:

  • ContentPrincipal: This principal is used for typical web pages and can be serialized to an origin URL, e.g., https://example.com/
  • NullPrincipal: Some pages are never same-origin with anything else. E.g., <iframes sandbox> or documents loaded with a data: URI. The standard calls this an opaque origin.
  • SystemPrincipal: The SystemPrincipal is used for the browser's user interface, commonly referred to as "browser chrome". Pages like about:preferences use the SystemPrincipal.