Taggart Nov 26

Okay I get why this change sounds great, but I'm pretty sure a consequence is that password managers will no longer autofill on Entra sign-in pages. That will likely lead to weaker credentials or weaker storage of them. That feels like a net loss.

UPDATE: All's well, mostly. Because of the way that extension-based password managers add their content, they should be exempted from this policy. Basically, if they don't add inline scripts, they're golden. KeePassXC and Bitwarden do not; I presume 1Password does not either. Sorry for the false alarm.

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/enhance-protection-of-microsoft-entra-id-authentication-by-blocking-external-scr/4435200

Enhance protection of Microsoft Entra ID authentication by blocking external script injection | Microsoft Community Hub

Microsoft is further enhancing security of the Microsoft Entra ID authentication experience by blocking external script injection. [Action may be required]

TECHCOMMUNITY.MICROSOFT.COM
Show threadEragonNov 26
@mttaggart Isn't the extension code authorized anyway by the browser?!
Show threadTaggart Nov 26
@eragon The site decides the Content Security Policy and absolutely can prevent extension code from messing with it.
Show threadEragonNov 26
@mttaggart Yeah but that is ultimately enforced by the browser.
The browser can ignore the CSP or modify it.
Surely this can be done.
Show threadTaggart 
@eragon A browser ignoring a CSP based on what criteria? This is the way to reintroduce the very vulnerabilities this fix intends to mitigate. No, this isn't the way. There's a middle ground with CSPs and that's the way to go.
Nov 26 at 3:34pmWeb
Show threadrobot 9001Nov 26

@mttaggart @eragon it seems like the CSP spec itself advocates for extensions to be exempt from the page CSP
https://www.w3.org/TR/CSP/#extensions

At the same time this does not seem to be implemented (correctly) in browsers, see e.g
https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

Would be wild if a regular page could tell my user-agent to basically disable e.g. my ad-blocker extension

Show threadTaggart Nov 26

@robo9k @eragon So this is nuanced. The spec absolutely does say that, and for example chrome-extension:// scheme resources are exempt in Chrome! But that's not quite what is happening here.

If the extension injects inline JS into the document, that script would be subject to the CSP, and that's the rub. I'll have to check which extensions do this, but some definitely do.

Show threadrobot 9001Nov 26

@mttaggart @eragon if I understand correctly that means the new Entra CSP would then only block password manager extensions that rely on injecting inline scripts

External scripts also seem to be against extension best practices
https://extensionworkshop.com/documentation/develop/build-a-secure-extension/

It feels like this change is only an issue for password manager extensions that currently have fragile implementations to begin with?

Build a secure extension

Learn best practices to build a secure Firefox extension. Protect your users and your add-on by implementing key security and privacy measures.

Firefox Extension Workshop
Show threadTaggart Nov 26
@robo9k @eragon Looks like you are correct! I checked out Bitwarden and KeePassXC, and they do not add inline scripts. The stylesheets are chrome-extension:// sourced, so those should be exempt. I will update the original post.
Show threadrobot 9001Nov 26

@mttaggart @eragon thanks for checking those extensions and updating the OP!

I only have passing knowledge of web extensions, but counterintuitively having to recommend a weaker CSP due to ecosystem deficits in the current year gave me pause, so good to have a chat and one less bad news :)