Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in “about: pages”, in an effort to protect its users from code injection. These are the gateway to sensitive preferences, settings, and statics of the browser. The decision was made in order to mitigate a large class of potential cross-site scripting issues in Firefox.
According to Christoph Kerschbaumer, Mozilla’s platform security and privacy enginner, changes will not affect the way websites work on the Firefox browser. Still, Mozilla promissed to “closely audit and evaluate” the usages of harmful functions in 3rd-party extensions and other built-in mechanisms.
Mozilla decided to rewrite its inline event handlers and move all inline JavaScript code for all of its 45 about: pages, to “packaged files”. Moreover, the company set a strong Content Security Policy (CSP) to be sure that the JavaScript code only executes when loaded from a packaged resource using the internal protocol.
“Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,”, Kerschbaumer mentioned.
The attackers use the JavaScritpt function and similar methods to trick the target applications into converting text into an executable JavaScript. Thus, they achieve code injection, when the attackers can not inject script directly. This is the reason for which Mozilla removed and blocked eval-like functions as this might be another “dangerous tool”.
