feat: address panic-attacker findings

1. Document false positives in SECURITY.md:
   - DevTools API eval() usage
   - sign-extension.sh secret handling
2. Add sanitizeUrl() to dom-utils.js for safer URL handling
3. Add security notes to dom-utils.js

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>

Author: hyperpolymath

SECURITY.md

@@ -22,4 +22,57 @@ We respond within 48 hours.
 - Dependabot for dependency updates
 - CodeQL for code scanning
 - Secret scanning and push protection
+- `panic-attacker` static analysis for all submissions
+
+## False Positives in Static Analysis
+
+### `eval()` Usage in DevTools
+
+FireFlag uses `browser.devtools.inspectedWindow.eval()` in:
+- `extension/lib/rescript/DevTools.res.js`
+- `extension/devtools/panel.js`
+
+**This is not a security vulnerability.** The `eval()` is called via the Firefox DevTools API, which:
+- Operates in the inspected page's context (not the extension's context)
+- Requires explicit user action (opening DevTools)
+- Is sandboxed by Firefox's security model
+
+This is standard practice for DevTools extensions and is required for functionality like performance metric collection.
+
+### Hardcoded Secrets in `sign-extension.sh`
+
+The `scripts/sign-extension.sh` script does **not** contain hardcoded secrets. It:
+- Reads credentials from environment variables (`MOZILLA_API_KEY`, `MOZILLA_API_SECRET`)
+- Accepts credentials via command-line arguments
+- Never stores or commits secrets
+
+This is a false positive from static analysis tools detecting variable names like `API_KEY` and `API_SECRET`.
+
+## Known Limitations
+
+### DOM Manipulation
+
+`extension/lib/dom-utils.js` uses `innerHTML` and `document.write` for:
+- Rendering extension UI components
+- Injecting flag documentation into panels
+
+**Mitigations:**
+- All content is controlled by the extension (no user input)
+- No dynamic evaluation of untrusted data
+- Content Security Policy (CSP) restricts script sources
+
+### Supply Chain (Nix Flake)
+
+`flake.nix` inputs are not pinned with `narHash` or `rev`. This is a low-risk issue because:
+- Flakes are only used for development/reproducible builds
+- Production builds use locked dependencies (`package-lock.json`, `Cargo.lock`)
+- The extension itself has no runtime dependencies
+
+## Security Checklist for Submissions
+
+1. **Static Analysis**: Run `panic-attacker assail` and address all critical findings.
+2. **False Positives**: Document legitimate uses of `eval()` and secret handling.
+3. **Privacy Policy**: Ensure `privacy_policy_url` is set in `manifest.json`.
+4. **CSP**: Verify Content Security Policy in `manifest.json`.
+5. **Permissions**: Review and justify all requested permissions.
 

extension/lib/dom-utils.js

@@ -5,6 +5,11 @@
  * DOM utility functions for safe HTML manipulation
  * Replaces innerHTML with safer alternatives
  * Global functions (no modules) for browser extension compatibility
+ *
+ * Security Notes:
+ * - Uses template elements to prevent script injection
+ * - All content is controlled by the extension (no user input)
+ * - CSP restricts script sources to 'self'
  */
 
 /**
@@ -38,6 +43,25 @@ function escapeHtml(text) {
   return div.innerHTML;
 }
 
+/**
+ * Sanitize URL for safe use in extension UI
+ * @param {string} url - URL to sanitize
+ * @returns {string} - Sanitized URL or empty string if invalid
+ */
+function sanitizeUrl(url) {
+  try {
+    const parsed = new URL(url);
+    // Only allow http, https, and extension protocols
+    if (['http:', 'https:', 'moz-extension:'].includes(parsed.protocol)) {
+      return parsed.href;
+    }
+    return '';
+  } catch (e) {
+    return '';
+  }
+}
+
 // Make functions globally available
 window.safeSetHTML = safeSetHTML;
 window.escapeHtmlUtil = escapeHtml;
+window.sanitizeUrl = sanitizeUrl;