In an effort to mitigate a large class of potential cross-site scripting issues in Firefox, Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in “about: pages” that are the gateway to sensitive preferences, settings, and statics of the browser.
Firefox browser has 45 such internal locally-hosted about pages, some of which are listed below that you might have noticed or used at some point:
- about:config — panel to modify Firefox preferences and critical settings.
- about:downloads — your recent downloads done within Firefox.
- about:memory — shows the memory usage of Firefox.
- about:newtab — the default new tab page.
- about:plugins — lists all your plugins as well as other useful information.
- about:privatebrowsing — open a new private window.
- about:networking — displays networking information.
To be noted, these changes do not affect how websites from the Internet work on the Firefox browser, but going forward, Mozilla vows to “closely audit and evaluate” the usages of harmful functions in 3rd-party extensions and other built-in mechanisms.
Firefox Disabled Inline JavaScript for Security
Since all these pages are written in HTML/JavaScript and renders in the security context of the browser itself, they are also prone to code injection attacks that, in case of a vulnerability, could allow remote attackers to inject and execute arbitrary code on behalf of the user, i.e., cross-site scripting (XSS) attacks.
images from Hacker News
Recent Comments