Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in “about: pages”, in an effort to protect its users from code injection. These are the gateway to sensitive preferences, settings, and statics of the browser. The decision was made in order to mitigate a large class of potential cross-site scripting issues in Firefox.
According to Christoph Kerschbaumer, Mozilla’s platform security and privacy enginner, changes will not affect the way websites work on the Firefox browser. Still, Mozilla promissed to “closely audit and evaluate” the usages of harmful functions in 3rd-party extensions and other built-in mechanisms.