Firefox developer Mozilla said it has removed features from the browser that could have provided an opportunity for code injection attacks.
Developers removed inline scripts from the browser’s about: pages, which display the internal state of the browser, and removed eval() and similar functions, said content security lead Christoph Kerschbaumer.
The browser’s about: pages display information such as installed plug-ins or the state of various browser settings.
“If an attacker manages to inject code into such an about: page, it potentially allows an attacker to execute the injected script code in the security context of the browser itself, hence allowing the attacker to perform arbitrary actions on the behalf of the user,” Kerschbaumer said in a blog post.
Instead, the code only runs when loaded from a packaged resource using the internal chrome: protocol, Kerschbaum said.
“Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” he wrote.
‘Powerful but dangerous’
Eval() parses and executes a string in the same security context as itself, introducing a significant attack surface for code injection, he said.
To reduce the risk, the team rewrote all use of eval() and similar functions from system-privileged contexts and from the parent process in the Firefox codebase, as well as adding assertions that disallow the use of eval()-like functions in system-privileged script contexts.
This was in part intended to discourage developers from using the function.
Kerschbaum said Mozilla’s tests unexpectedly found that some users were making use of eval() and other features to customise the browser.
“When we detect that the user has enabled such tricks, we will disable our blocking mechanism and allow usage of eval(),” he wrote.
As part of its ongoing security development Mozilla recently announced a feature called DNS-over-HTTPS (DoH), which is designed to bolster users’ privacy, but said it would not switch the feature on by default for users in the UK.
The UK government had had concerns that DoH could make it more difficult for criminal authorities to track the web usage of suspects.