uBlock Origin security concerns

[MasterInQuestion]

    Follow-Up: https://bugzilla.mozilla.org/show_bug.cgi?id=1754301#c13

    Some explanation should be made on uBlock Origin's threat model:
    uBlock Origin has to deal with untrustable filter lists. (most of the filter lists are not carefully audited)
    Thus why it shouldn't allow arbitrary manipulation from untrusted sources.

    Didn't manage to realize all this when, for things are too messily defined...

    Perhaps uBO needs a better definition:
    [
    Browser extension extending the capability of browser: much capable as the browser self.
    May much manipulate the browsing at will.
    With restrictions on directives from untrusted sources. ]

    And a warning for filter lists:
    [
    For practical reasons, not all enlisted may be adequately audited.
    These are considered untrusted and limited in directives' capability.
    Blindly adding such to trusted may cause security havoc.
    Worst scenario: effectively having a spying browser. ]


=== Related ===

    [ Quote gorhill @ CE 2022-10-29 12:37:16 UTC:
https://github.com/uBlockOrigin/uBlock-issues/issues/2347#issuecomment-1295824667
    [ Add a scriptlet to set any of data attribute src of img ]
    "sites are now in ongoing cat-and-mouse game"
<^>    Meaning that if I would add such scriptlets (which is frowned upon here security-wise because it's about creating information which didn't exist), those sites would move to doing something else which would render those worrying scriptlets pointless? ]

    [ Quote gorhill @ CE 2019-05-17 11:19:35 UTC:
https://github.com/uBlockOrigin/uBlock-issues/issues/577#issuecomment-493418524
    [ Support for "replace=" AdGuard filters ]
    Also, just like "rewrite", there are security concerns to be had when giving filter list maintainers the ability to insert new text in the content of a resource. ]
<.>    https://github.com/gorhill/uBlock/commit/7c3e060c017a7e832314ef67c624ebbb20e52473

    ABP's "$rewrite" filter option
    https://github.com/uBlockOrigin/uBlock-issues/issues/46#issuecomment-391190533
<.>    https://github.com/gorhill/uBlock/commit/0b5f53923fc4fd7e6927ce57cd9226a61bcbdb88

    Surprisingly, it supports: seemingly both.
    Despite the previously proclaimed: https://old.reddit.com/r/uBlockOrigin/comments/pc9huw#hahbf1s
    .
    Though mostly poorly documented (to almost entirely undocumented...) that had to lookup the source to notice:
    https://github.com/gorhill/uBlock/blob/2da9f0b03fb550dc969805ce0f131063492b4969/src/js/static-filtering-parser.js#L266-L270
    #L1491-L1492 ("NODE_TYPE_NET_OPTION_NAME_REPLACE")
    #L3002-L3003 ("parseReplaceValue")
    https://adguard.com/kb/general/ad-filtering/create-own-filters/#replace-modifier

    And additionally barred behind an obscure Advanced settings... ("trustedListPrefixes")
    https://github.com/gorhill/uBlock/commit/64c1f8767ca42c6c0681f571ae87a20343c12b19


    uBlock, I exfiltrate: exploiting ad blockers with CSS
    https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css


    |*| AdGuard and uBlock Origin overshoot their purpose and are becoming a security risk
    |*.1| https://webcache.googleusercontent.com/search?hl=en&q=cache:https://malwaretips.com/threads/adguard-and-ublock-origin-overshoot-their-purpose-and-are-becoming-a-security-risk.124647/
    |*.2| https://webcache.googleusercontent.com/search?hl=en&q=cache:https://malwaretips.com/threads/adguard-and-ublock-origin-overshoot-their-purpose-and-are-becoming-a-security-risk.124647/page-2
    |*.3| https://web.archive.org/web/20231205131210/https://cc.bingj.com/cache.aspx?d=4721638260023451&w=1eoUGt1N6v1jJwXL1qgMtrAKXTVviOe3
    [ User Max90 somehow become non-existent on MalwareTips recently... ]

    [ Quote Max90 @ CE 2023-07-21 09:17:20 UTC:
https://malwaretips.com/threads/124647/post-1050319
    ... these extensions get way to much functionality. ...
    Although these extensions themselves are open source (and trustworthy) they have so much functionality that is possible to re-design and re-program webpages.
    ...
    That is why I have decided to enable my content blocker only a few websites and let NextDNS and Edge build-in tracking protection do the filtering for me.
    I think the capabilities of the content blockers like AG and uBO have gone haywire.
    I do trust the extension developers, but can I trust the filter maintainers? ]
<^>    Why such over-concern?
    Technically the browser and the OS, hardware, infrastructure builders may as well do the same, and only better.
    It's just not worthy to do so.

    Far greater attack surface:
    People accustomed to installing random apps and making thoughtless operation...
    .
    See also: https://github.com/MasterInQuestion/talk/discussions/8#discussioncomment-7609546

    [ Quote Max90 @ CE 2023-07-25 08:49:10 UTC:
https://malwaretips.com/threads/124647/post-1050706
    Most people don't understand what they do and average users don't use them. ]
<^>    (so advanced features shouldn't exist...)
    Would this really mitigate the knowledge gap?
    Were everyone silly, shall the world then become a better place..?
    .
    Wishing self drunk, would the whole world drunk too?


    uBlock Origin also has express endorsement of Mozilla. [1]
    With each its regular release additionally verified by the extension store. (thus the "Review pending")
[ [1]
    https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
    "Firefox only recommends add-ons that meet our standards for security and performance."
    https://support.mozilla.org/en-US/kb/add-on-badges#w_recommended-extensions ]
    .
    Which means the extension is very much as trustworthy as the browser self.

    Meh...
    https://addons.mozilla.org/en-US/firefox/addon/read-aloud/
    https://web.archive.org/web/20210924045611/https://github.com/ken107/read-aloud/issues/232