The NoScript extension for Firefox mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing authentication & payloads from POST requests sent by untrusted sites to trusted ones. The Application Boundary Enforcer module in NoScript also blocks requests sent from internet pages to local sites (e.g. localhost), preventing CSRF attacks on local services (such as uTorrent) or routers.

The Self Destructing Cookies extension for Firefox does not directly protect from CSRF, but can reduce the attack window, by deleting cookies as soon as they are no longer associated with an open tab.

website developers and extension authors

1. Disabling concrete extension update. That's what I wanted! You can do this by editing the extensions manifest json-file on Windows: C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Extensions\<EXTENSION-ID>\<VERSION>\manifest.json (find out the extensions ID by enabling developer mode in the extension settings page) on Ubuntu for Chromium: ${HOME}/.config/chromium/Default/Preferences In this file set "update_url" property to something invalid like "https://localhost" for example. For now according to given url updating of that extension is simply impossible.

Add-ons that are intended for internal or private use, are only accessible to a closed user group, or for distribution testing may not be listed on AMO. Such add-ons may be uploaded for self-distribution instead.

I usually write example code that is for both Chrome and Firefox WebExtensions.

You can also turn off personalization for your browser by installing the Interest-Based Ads Opt Out extension.

open source browser extension that can automatically answer pop-ups based on user-customizable preferences.It’s called Consent-o-Matic — and there are versions available for Firefox and Chrome.

Second, uBlock Origin does not have a dedicated server, it can't "phone home" with your browsing data, there is only GitHub, and GitHub is completely unrelated to uBlock Origin.

AdNauseam

6.2 Extension IDs Each extension has an extension ID that follows the browserext:// protocol. For example browserext://MyExtension_c1wakc4j0nefm/options.html browserext://dfcijpibodeoenkablikbkiobbdnkfki/options.html The algorithms that generate these IDs are different for each browser. To access these resources, do not hardcode the ID generated by a particular browser. Instead, use the runtime.getURL() method to convert a relative file name or path to the absolute name or path, which includes the extension ID.

When we first set out to identify malicious extensionsour expectation was to find banking trojans and pass-word stealers that duplicated the strategies pioneered byZeus and SpyEye. In practice, the abusive extensionecosystem is drastically different from malicious bina-ries. Monetization hinges on direct or indirect relation-ships with syndicated search partners and ad injection af-filiate programs, some of which earn millions of dollarsfrom infected users [37]. Miscreants derive wealth fromtrafficanduser targetingrather than the computing re-sources or privileged access mediated via the browser. Itmay simply be that the authors of malicious binaries havelittle incentive (or external pressure) to change, leavingextensions to a distinct set of actors. This uncertainty isa strong motivation for exploring the extension ecosys-tem further.