In an effort to mitigate a large class of potential cross-site scripting issues in Firefox, Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in “about: pages” that are the gateway to sensitive preferences, settings, and statics of the browser.
Firefox browser has 45 such internal locally-hosted about pages, some of which are listed below that you might have noticed or used at some point:
- about:config — panel to modify Firefox preferences and critical settings.
- about:downloads — your recent downloads done within Firefox.
- about:memory — shows the memory usage of Firefox.
- about:newtab — the default new tab page.
- about:plugins — lists all your plugins as well as other useful information.
- about:privatebrowsing — open a new private window.
- about:networking — displays networking information.
To be noted, these changes do not affect how websites from the Internet work on the Firefox browser, but going forward, Mozilla vows to “closely audit and evaluate” the usages of harmful functions in 3rd-party extensions and other built-in mechanisms.
Firefox Disabled Inline JavaScript for Security
Since all these pages are written in HTML/JavaScript and renders in the security context of the browser itself, they are also prone to code injection attacks that, in case of a vulnerability, could allow remote attackers to inject and execute arbitrary code on behalf of the user, i.e., cross-site scripting (XSS) attacks.
To add a robust first line of defense against code injection attacks, even when there is a vulnerability, Mozilla has blocked the execution of all inline scripts, thus injected scripts as well, by implementing a strict Content Security Policies (CSP) to ensure the JavaScript code only executes when loaded from a packaged resource using the internal protocol.
To achieve this, Mozilla had to rewrite all inline event handlers and move all inline JavaScript code out-of-line into separate packaged files for all 45 about: pages.
“Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla said in a blog post published earlier today.
NO EVAL, NO EVIL!
When attackers can’t inject script directly, they use the JavaScript function eval() and similar methods to trick the target applications into converting text into an executable JavaScript to achieve code injection.
So, in addition to inline scripts, Mozilla has also removed and blocked eval-like functions, which the browser maker thinks is another “dangerous tool,” as it parses and executes an arbitrary string in the same security context as itself.
“If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user’s machine with the permissions of your webpage/extension,” Mozilla explains on its MDN web docs.
Google also shares the same thought, as the tech giant says, “eval is dangerous inside an extension because the code it executes has access to everything in the extension’s high-permission environment.”
For this, Mozilla rewrote all use of eval-like functions from system privileged contexts and the parent process in the codebase of its Firefox web browser.
Besides this, the company also added eval() assertions that will disallow the use of eval() function and its relatives in system-privileged script contexts, and inform the Mozilla Security Team of yet unknown instances of eval().
Leave a Reply