News

Mozilla protects Firefox users from injection attacks on about: pages

By admin
Spread the love

Mozilla will protect Firefox users from injection attacks on about: pages. The team does this by moving inline scripts to packaged files. Mozilla has also rewritten the eval()-like scripts in the browser.

The 45 about: pages in Firefox provide an interface for displaying the browser’s internal state. For example, one of these pages is about:config. This page displays an interface for an api that allows Firefox users to customize their browser to their liking. These about: pages are implemented with HTML and JavaScript, and are subject to the same security process as normal web pages. They are therefore not immune to injection attacks. When attackers succeed in injecting code into Firefox’s about: pages, they can make changes to the browser’s own security features.

To protect users, Mozilla rewritten all inline event handlers and the team moved all inline JavaScript code to packaged files. This allows Mozilla to apply a stronger content security policy. This includes, for example, a new feature called “default-src chrome:” by Mozilla. This function prevents injected code from executing. JavaScript code can now only be executed when this code is loaded from packaged files by an internal protocol. Disallowing inline code in about: pages, Mozilla says, provides a good first line of defense against code-injection attacks.

Mozilla has also rewritten eval()-like functions in Firefox to restrict the use of this JavaScript function. Functions like eval() are very powerful, but at the same time dangerous, reports Mozilla. Eval stands for evaluate, which is exactly what the eval() function does. It evaluates a piece of code and executes it. This feature also allows code stored in locations outside of scripts to run, with vulnerabilities for injected code attacks. Mozilla does not recommend using the eval() function in favor of safer alternatives. The team has also added conditions in the code that do not allow the use of eval()-like functions in system-privileged context. Allows Mozilla to detect the use of eval() code.

The about:config page in Firefox

You might also like
News

EU Council determines position on security requirements for digital products

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Brave sells web content as data for AI training

News

Reddit removes chat messages from before January 1, 2023 during migration

News

Firefox beta has support for Nvidia video upscaling technique

News

Valve releases major Team Fortress 2 update with community maps and new taunts