Both documents critisize that chrome://URI is whitelisted in Noscript thus allowing any XSS injection there. As an example they mention the Update Scanner extension which renders updated content within a chrome privileged window thus allowing an XSS injection by a maliciouos site. I'm not sure if the Noscript XSS protection would cover this - and if it would, which drawbacks we would have to suffer from.Extensions can be installed by the user, either through the Add-on Manager or via a web page.They also can be installed by an external “dropper” program. Once installed, they can hide their
presence by mis-using a number of features provided by Firefox, or worse yet by “infecting” a signed and thus presumably trustworthy extension. There are many features of extensions that
make them attractive as attack vectors; their use of JavaScript allows platform-independent payload code to be easily written, they can run as a browser thread obfuscating them from anti-virus software,
and “noisy” operations such as creating a process or editing a registry key can be avoided. Once installed and properly hidden they have read/write access to the Document Object Model
(DOM) providing them with the ability to alter user-space web content. This is particularly dangerous because the browser is in an unique position to have plaintext access to sensitive user information, such
as passwords for online banking web applications or credit card numbers used for online shopping. Extensions also have access to the username/password pairs stored in Firefox's
password manager, read/write access to the file system, and access to client and server sockets. All of these features equate for the ability for a malicious extension to be
easily or even silently installed within a browser, to conceal itself from the user, display viral behavior by modifying or injecting code into other signed extensions, sniff and modify web content “on-the-fly”,
avoid detection not only by traditional polymorphism but by running within in the context of the browser, communicate to the network using presumably benign and unfiltered protocols such as
HTTP/HTTPS and rest on the plausible assumption that most users will start the browser instead of modifying the operating system to ensure that they are run.
These documents were published in 2009, and I'm aware of the new Mozilla Add-on Review Process which has been implemented in the meantime (and which is probably also a reaction to this criticism, I guess). There will also be changes in Jetpack (see here and here). Nevertheless, since I'm not familiar with the Firefox internals I would be interested in Giorgio's opinion about this issue in general and the reproaches against Noscript in particular.