Security Beefed Up with Firefox

Friday, October 6, 2017 @ 03:10 PM gHale


Mozilla will hike security on its Firefox browser by increasing Cross-Site-Scripting (XSS) security.

By using a data URL scheme, web developers can install inline small files directly into HTML or CSS documents.

RELATED STORIES
Google Fixes Chrome Vulnerabilities
Mozilla Increases Security in Firefox
FTP Sites get ‘Not secure’ Label with Chrome
Chrome Attack is a RAT

Because of this mechanism, the browser doesn’t have to perform a large amount of HTTP requests to load external resources, as they are already in the page.

The same holds true for bad guys as they can craft attack pages and steal usernames, passwords, and other confidential information from unsuspecting users.

By embedding the entire attack code within the data URL, bad guys can launch attacks without having to host a full website.

The data URL inherits the security context of the embedding element, and this inheritance model opens the door for XSS attacks.

To prevent these attacks, Firefox 57 will treat data URLs as unique origins and will no longer inherit the origin of the settings object responsible for the navigation, said Mozilla researcher, Christoph Kerschbaumer in a post. That means data URLs loaded inside an iframe will no longer be same-origin with their parent document.

“Starting with Firefox 57, data URLs loaded inside an iframe will be considered cross-origin. Not only will that behavior mitigate the risk of XSS, it will also make Firefox standards compliant and consistent with the behavior of other browsers,” Kerschbaumer said.

Data URLs that do not end up creating a scripting environment will continue to be considered same-origin. Data URLs in img elements will be treated as such, Mozilla said.

Because of the new security setting, Firefox 57 will block attempts to reach content from a different origin, such as when a script within a data URL iframe attempts to access objects from the embedding context. In Firefox version 56 and older, this was possible because the data URLs inherited the security context.



Leave a Reply

You must be logged in to post a comment.