Ad Guardian PlusNews

Mozilla to protect its users from code injection


Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in “about: pages”, in an effort to protect its users from code injection. These are the gateway to sensitive preferences, settings, and statics of the browser. The decision was made in order to mitigate a large class of potential cross-site scripting issues in Firefox.

According to Christoph Kerschbaumer, Mozilla’s platform security and privacy enginner, changes will not affect the way websites work on the Firefox browser. Still, Mozilla promissed to “closely audit and evaluate” the usages of harmful functions in 3rd-party extensions and other built-in mechanisms.

Mozilla decided to rewrite its inline event handlers and move all inline JavaScript code for all of its 45 about: pages, to “packaged files”. Moreover, the company set a strong Content Security Policy (CSP) to be sure that the JavaScript code only executes when loaded from a packaged resource using the internal protocol.

Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,”, Kerschbaumer mentioned.

The attackers use the JavaScritpt function and similar methods to trick the target applications into converting text into an executable JavaScript. Thus, they achieve code injection, when the attackers can not inject script directly. This is the reason for which Mozilla removed and blocked eval-like functions as this might be another “dangerous tool”.

Related posts
Ad Guardian PlusNews

Google removed 1.700 infected apps

Ad Guardian PlusNews

10.000 attacks per minute from Iran

NewsParenting Tips

Best Apps and Software To Observe Your Kid's Online Activities

NewsParenting Tips

10 Ways to Keep Kids Safe from Cyberbullying

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our
BitGuardian Newsletter

Stay updated with the latest security news and updates for the products you need.

Choose your favorite: