INSUBCONTINENT EXCLUSIVE:
In a recent blog post on the Mozilla Security Blog, the Firefox-maker revealed the steps it has taken to protect users from code injection
Firefox codebase, including inline scripts and eval()-like functions, according to the firm's platform security and privacy engineer
Christoph Kerschbaumer.Inline scripts were removed in an effort to improve the protection of Firefox's 'about' protocol which is often
referred to as about: pages
These about: pages allow users to do things such as display network information, view how their browser is configured and see which plug-ins
they've installed.However, since these about: pages are written in HTML and JavaScript, they employ the same security used by web pages,
which are also vulnerable to code injection attacks
For instance, an attacker could inject code into an about:page and use it to change configuration settings in Firefox.To help protect
Firefox users against code injection attacks, Mozilla decided to rewrite all of its inline event handlers and to move all inline JavaScript
The company also set a strong Content Security Policy to make sure that any injected JavaScript code is unable to execute.Kerschbaumer
from a packaged resource using the internal chrome: protocol
Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong
By rewriting all eval()-like functions, the company has reduced the attack surface in Firefox further.Viz ZDNet
