Where did you install Firefox from? Help Mozilla uncover 3rd party websites that offer problematic Firefox installation by taking part in our campaign. There will be swag, and you'll be featured in our blog if you manage to report at least 10 valid reports!

Avatar for Username

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

Learn More

In a hacked computer, using Firefox, I see the content-security-policy for chatgpt includes chrome-extension://iaiigpefkbhgjcmcmffmfkpmhemdhdnj Would this extension be installed in the computer?

  • 3 réponses
  • 0 a ce problème
  • 6 vues
  • Dernière réponse par cor-el

cybertrapped
cybertrapped
more options

Below is the content-security-policy Firefox loads for chatGPT:

default-src 'self'; script-src 'self' 'nonce-eec8ce04-1f27-4481-8ed6-b8f877eef280' 'wasm-unsafe-eval' chatgpt.com/ces https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.openai.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://jidori.g1.internal.services.openai.org https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ wss://*.chatgpt.com wss://*.chatgpt.com/; script-src-elem 'self' 'nonce-eec8ce04-1f27-4481-8ed6-b8f877eef280' 'sha256-RvbVrdDS11FSnQaULCOgXPA5u0nMP2Im1d2pGiRBGC4=' 'sha256-eMuh8xiwcX72rRYNAGENurQBAcH7kLlAUQcoOri3BIo=' auth0.openai.com challenges.cloudflare.com chatgpt.com/ces https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.openai.com https://apis.google.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://docs.google.com https://jidori.g1.internal.services.openai.org https://js.live.net/v7.2/OneDrive.js https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ https://www-onepick-opensocial.googleusercontent.com wss://*.chatgpt.com wss://*.chatgpt.com/; img-src * 'self' blob: data: https: https://docs.google.com https://drive-thirdparty.googleusercontent.com https://ssl.gstatic.com; style-src 'self' 'unsafe-inline' chatgpt.com/ces https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.openai.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://jidori.g1.internal.services.openai.org https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ wss://*.chatgpt.com wss://*.chatgpt.com/; font-src 'self' data: https://*.oaistatic.com https://fonts.gstatic.com; connect-src 'self' *.oaiusercontent.com api-iam.intercom.io api-js.mixpanel.com browser-intake-datadoghq.com chatgpt.com/ces fileserviceuploadsperm.blob.core.windows.net http://0.0.0.0:* http://localhost:* https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.onedrive.com https://api.openai.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://content.googleapis.com https://docs.google.com https://events.statsigapi.net https://featuregates.org https://graph.microsoft.com https://jidori.g1.internal.services.openai.org https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ https://www.googleapis.com o33249.ingest.sentry.io statsigapi.net wss://*.chatgpt.com wss://*.chatgpt.com/ wss://*.intercom.io wss://*.webpubsub.azure.com; frame-src challenges.cloudflare.com https://*.sharepoint.com https://content.googleapis.com https://docs.google.com https://onedrive.live.com https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ js.stripe.com; worker-src 'self' blob:; media-src blob: 'self' *.oaiusercontent.com fileserviceuploadsperm.blob.core.windows.net https://cdn.openai.com https://persistent.oaistatic.com; frame-ancestors chrome-extension://iaiigpefkbhgjcmcmffmfkpmhemdhdnj; report-to chatgpt-csp-new; report-uri https://browser-intake-datadoghq.com/api/v2/logs?dd-api-key=pub1f79f8ac903a5872ae5f53026d20a77c&dd-evp-origin=content-security-policy&ddsource=csp-report&ddtags=version%3Achatgpt-csp-new

Notice that it includes " frame-ancestors chrome-extension://iaiigpefkbhgjcmcmffmfkpmhemdhdnj"

Would this extension be installed in the computer, kind of like the extensions that are loaded from Chrome (i.e., C:\Users\myUser\AppData\Local\Google\Chrome\User Data\extensions_crx_cache)?

Thanx

Below is the content-security-policy Firefox loads for chatGPT: default-src 'self'; script-src 'self' 'nonce-eec8ce04-1f27-4481-8ed6-b8f877eef280' 'wasm-unsafe-eval' chatgpt.com/ces https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.openai.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://jidori.g1.internal.services.openai.org https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ wss://*.chatgpt.com wss://*.chatgpt.com/; script-src-elem 'self' 'nonce-eec8ce04-1f27-4481-8ed6-b8f877eef280' 'sha256-RvbVrdDS11FSnQaULCOgXPA5u0nMP2Im1d2pGiRBGC4=' 'sha256-eMuh8xiwcX72rRYNAGENurQBAcH7kLlAUQcoOri3BIo=' auth0.openai.com challenges.cloudflare.com chatgpt.com/ces https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.openai.com https://apis.google.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://docs.google.com https://jidori.g1.internal.services.openai.org https://js.live.net/v7.2/OneDrive.js https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ https://www-onepick-opensocial.googleusercontent.com wss://*.chatgpt.com wss://*.chatgpt.com/; img-src * 'self' blob: data: https: https://docs.google.com https://drive-thirdparty.googleusercontent.com https://ssl.gstatic.com; style-src 'self' 'unsafe-inline' chatgpt.com/ces https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.openai.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://jidori.g1.internal.services.openai.org https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ wss://*.chatgpt.com wss://*.chatgpt.com/; font-src 'self' data: https://*.oaistatic.com https://fonts.gstatic.com; connect-src 'self' *.oaiusercontent.com api-iam.intercom.io api-js.mixpanel.com browser-intake-datadoghq.com chatgpt.com/ces fileserviceuploadsperm.blob.core.windows.net http://0.0.0.0:* http://localhost:* https://*.chatgpt.com https://*.chatgpt.com/ https://*.oaistatic.com https://api.onedrive.com https://api.openai.com https://chat.openai.com https://chatgpt.com/ https://chatgpt.com/backend-anon https://chatgpt.com/backend-api https://chatgpt.com/graphql https://chatgpt.com/public-api https://chatgpt.com/voice https://content.googleapis.com https://docs.google.com https://events.statsigapi.net https://featuregates.org https://graph.microsoft.com https://jidori.g1.internal.services.openai.org https://oaistatic.com https://snc.apps.openai.com https://snc.chatgpt.com/backend/se https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ https://www.googleapis.com o33249.ingest.sentry.io statsigapi.net wss://*.chatgpt.com wss://*.chatgpt.com/ wss://*.intercom.io wss://*.webpubsub.azure.com; frame-src challenges.cloudflare.com https://*.sharepoint.com https://content.googleapis.com https://docs.google.com https://onedrive.live.com https://tcr9i.chat.openai.com https://tcr9i.chatgpt.com/ js.stripe.com; worker-src 'self' blob:; media-src blob: 'self' *.oaiusercontent.com fileserviceuploadsperm.blob.core.windows.net https://cdn.openai.com https://persistent.oaistatic.com; frame-ancestors chrome-extension://iaiigpefkbhgjcmcmffmfkpmhemdhdnj; report-to chatgpt-csp-new; report-uri https://browser-intake-datadoghq.com/api/v2/logs?dd-api-key=pub1f79f8ac903a5872ae5f53026d20a77c&dd-evp-origin=content-security-policy&ddsource=csp-report&ddtags=version%3Achatgpt-csp-new Notice that it includes " frame-ancestors chrome-extension://iaiigpefkbhgjcmcmffmfkpmhemdhdnj" Would this extension be installed in the computer, kind of like the extensions that are loaded from Chrome (i.e., C:\Users\myUser\AppData\Local\Google\Chrome\User Data\extensions_crx_cache)? Thanx

Toutes les réponses (3)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Looks like this is part of how that website works about what frames to allow, so probably nothing to worry about.

Cela vous a-t-il été utile ?

cybertrapped
cybertrapped Auteur de la question
more options

cor-el, I accessed the webpage through https://chatgpt.com, not chat.openai.com.

I found your answer to be unhelpful and lacking depth. The content-security-policy (CSP) I mentioned above seems very suspicious, especially the connect-src http://0.0.0.0:* http://localhost:*. This suggests that a middleman might have modified the settings to reduce Firefox's security warnings.

For reference, here is some information from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors about the CSP frame-ancestors directive:

The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using `<frame>`, `<iframe>`, `<object>`, or `<embed>`.

Among other, sources can include "scheme-source": A scheme such as http: or https:. The colon is required and the scheme should not be quoted. Data schemes can also be specified (not recommended).

  • data: Allows data: URLs to be used as a content source. This is insecure as an attacker can inject arbitrary data: URLs. Use this sparingly and definitely not for scripts.
  • mediastream: Allows mediastream: URIs to be used as a content source.
  • blob: Allows blob: URIs to be used as a content source.
  • filesystem: Allows filesystem: URIs to be used as a content source.

I guess chrome-extension://iaiigpefkbhgjcmcmffmfkpmhemdhdnj is a scheme source. I am still wondering how Firefox would know where to pull the information from this source?

Cela vous a-t-il été utile ?

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

The chrome-extension:// protocol is used for Google Chrome extensions and doesn't apply to Firefox (Firefox uses moz-extension://), so if a website thinks that it needs a special CSP rule then you are better of asking this on a GC oriented forum or switch to another website if you disagree.

Cela vous a-t-il été utile ?

Poser une question

Vous devez vous identifier avec votre compte pour répondre aux messages. Veuillez poser une nouvelle question, si vous n’avez pas encore de compte.