Firefox Blocks Inline and Eval JavaScript on Internal Pages to Prevent Injection Attacks

In an work to mitigate a big class of probable cross-web site scripting problems in Firefox, Mozilla has blocked execution of all inline scripts and perhaps risky eval-like capabilities for developed-in “about: internet pages” that are the gateway to sensitive tastes, configurations, and statics of the browser.

Firefox browser has 45 these types of internal locally-hosted about web pages, some of which are stated beneath that you might have observed or used at some level:

  • about:config — panel to modify Firefox preferences and vital options.
  • about:downloads — your new downloads performed inside Firefox.
  • about:memory — exhibits the memory usage of Firefox.
  • about:newtab — the default new tab webpage.
  • about:plugins — lists all your plugins as properly as other handy information and facts.
  • about:privatebrowsing — open up a new personal window.
  • about:networking — shows networking information and facts.

To be pointed out, these alterations do not have an affect on how internet websites from the Web do the job on the Firefox browser, but likely forward, Mozilla vows to “carefully audit and appraise” the usages of unsafe features in 3rd-bash extensions and other crafted-in mechanisms.

Firefox Disabled Inline JavaScript for Security

Because all these webpages are composed in HTML/JavaScript and renders in the stability context of the browser itself, they are also inclined to code injection attacks that, in case of a vulnerability, could permit distant attackers to inject and execute arbitrary code on behalf of the person, i.e., cross-site scripting (XSS) assaults.

To incorporate a strong 1st line of defense towards code injection assaults, even when there is a vulnerability, Mozilla has blocked the execution of all inline scripts, thus injected scripts as properly, by employing a strict Written content Security Insurance policies (CSP) to guarantee the JavaScript code only executes when loaded from a packaged source working with the inner protocol.

To realize this, Mozilla had to rewrite all inline celebration handlers and move all inline JavaScript code out-of-line into different packaged data files for all 45 about: internet pages.

“Not allowing any inline script in any of the about: pages restrictions the attack area of arbitrary code execution and hence delivers a robust initially line of defense from code injection attacks,” Mozilla said in a web site article revealed before nowadays.


When attackers can not inject script specifically, they use the JavaScript perform eval() and similar approaches to trick the focus on purposes into changing text into an executable JavaScript to reach code injection.

So, in addition to inline scripts, Mozilla has also taken out and blocked eval-like functions, which the browser maker thinks is one more “risky instrument,” as it parses and executes an arbitrary string in the very same protection context as itself.

“If you operate eval() with a string that could be influenced by a destructive social gathering, you may perhaps stop up managing destructive code on the user’s machine with the permissions of your webpage/extension,” Mozilla describes on its MDN net docs.

Web Application Firewall

Google also shares the exact same assumed, as the tech giant says, “eval is perilous inside an extension simply because the code it executes has access to almost everything in the extension’s superior-authorization atmosphere.”

For this, Mozilla rewrote all use of eval-like functions from technique privileged contexts and the guardian approach in the codebase of its Firefox internet browser.

Apart from this, the corporation also included eval() assertions that will disallow the use of eval() function and its relatives in process-privileged script contexts, and notify the Mozilla Protection Group of nevertheless unknown scenarios of eval().

Fibo Quantum

Be the first to comment

Leave a Reply

Your email address will not be published.