In an work to mitigate a big class of probable cross-web site scripting problems in Firefox, Mozilla has blocked execution of all inline scripts and perhaps risky eval-like capabilities for developed-in “about: internet pages” that are the gateway to sensitive tastes, configurations, and statics of the browser.
Firefox browser has 45 these types of internal locally-hosted about web pages, some of which are stated beneath that you might have observed or used at some level:
- about:config — panel to modify Firefox preferences and vital options.
- about:downloads — your new downloads performed inside Firefox.
- about:memory — exhibits the memory usage of Firefox.
- about:newtab — the default new tab webpage.
- about:plugins — lists all your plugins as properly as other handy information and facts.
- about:privatebrowsing — open up a new personal window.
- about:networking — shows networking information and facts.
To be pointed out, these alterations do not have an affect on how internet websites from the Web do the job on the Firefox browser, but likely forward, Mozilla vows to “carefully audit and appraise” the usages of unsafe features in 3rd-bash extensions and other crafted-in mechanisms.
“Not allowing any inline script in any of the about: pages restrictions the attack area of arbitrary code execution and hence delivers a robust initially line of defense from code injection attacks,” Mozilla said in a web site article revealed before nowadays.
NO EVAL, NO EVIL!
So, in addition to inline scripts, Mozilla has also taken out and blocked eval-like functions, which the browser maker thinks is one more “risky instrument,” as it parses and executes an arbitrary string in the very same protection context as itself.
“If you operate eval() with a string that could be influenced by a destructive social gathering, you may perhaps stop up managing destructive code on the user’s machine with the permissions of your webpage/extension,” Mozilla describes on its MDN net docs.
Google also shares the exact same assumed, as the tech giant says, “eval is perilous inside an extension simply because the code it executes has access to almost everything in the extension’s superior-authorization atmosphere.”
For this, Mozilla rewrote all use of eval-like functions from technique privileged contexts and the guardian approach in the codebase of its Firefox internet browser.
Apart from this, the corporation also included eval() assertions that will disallow the use of eval() function and its relatives in process-privileged script contexts, and notify the Mozilla Protection Group of nevertheless unknown scenarios of eval().