In an effort to mitigate a large class of potential cross-site scripting issues in Firefox, Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in “about: pages” that are the gateway to sensitive preferences, settings, and statics of the browser.
Firefox browser has 45 such internal locally-hosted about pages, some of which are listed below that you might have noticed or used at some point:
- about:config — panel to modify Firefox preferences and critical settings.
- about:downloads — your recent downloads done within Firefox.
- about:memory — shows the memory usage of Firefox.
- about:newtab — the default new tab page.
- about:plugins — lists all your plugins as well as other useful information.
- about:privatebrowsing — open a new private window.
- about:networking — displays networking information.
To be noted, these changes do not affect how websites from the Internet work on the Firefox browser, but going forward, Mozilla vows to “closely audit and evaluate” the usages of harmful functions in 3rd-party extensions and other built-in mechanisms.
“Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla said in a blog post published earlier today.
NO EVAL, NO EVIL!
So, in addition to inline scripts, Mozilla has also removed and blocked eval-like functions, which the browser maker thinks is another “dangerous tool,” as it parses and executes an arbitrary string in the same security context as itself.
“If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user’s machine with the permissions of your webpage/extension,” Mozilla explains on its MDN web docs.
Google also shares the same thought, as the tech giant says, “eval is dangerous inside an extension because the code it executes has access to everything in the extension’s high-permission environment.”
For this, Mozilla rewrote all use of eval-like functions from system privileged contexts and the parent process in the codebase of its Firefox web browser.
Besides this, the company also added eval() assertions that will disallow the use of eval() function and its relatives in system-privileged script contexts, and inform the Mozilla Security Team of yet unknown instances of eval().