Mozilla this week announced a reduced attack surface for code injection in Firefox through the removal of potentially dangerous artifacts such as occurrences of inline scripts and eval()-like functions.
The first codebase change impacts the built-in about:pages that Firefox ships with, and which were designed to provide an interface to the internal state of the browser. about:config is the best known of them, designed to help Firefox users customize the browser.
Given that these about: pages are implemented using HTML and JavaScript, they are prone to the same vulnerabilities as regular web pages, and are not safe from code injection attacks either.
Thus, if an attacker can inject code into an about: page, they can potentially execute the code in the security context of the browser itself, ultimately being able to perform arbitrary actions on the behalf of the user.
Now, Mozilla says they rewrote all inline event handlers and moved all inline JavaScript code to packaged files for all of the 45 about: pages in Firefox.
The result was the ability to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:,’ which prevents injected JavaScript code from executing.
“Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla content security tech lead Christoph Kerschbaumer explains.
The second change in Firefox impacts the JavaScript function eval(), which parses and executes an arbitrary string in the same security context as itself. While it allows for the execution of runtime-generated code and that of code stored i ..
Support the originator by clicking the read the rest link below.
