Inside Mozilla's Firefox 4 Security

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Open source browser vendor Mozilla is readying an ambitious new release of its Firefox Web browser. The third beta of Firefox 4, set to debut sometime this month, is expected to include more stability, features and performance improvements over earlier versions.

Among the areas that Mozilla is focusing on with Firefox 4 are a number of new security features that it says will make the browser even more secure than earlier versions. The new Firefox 4 browser development comes as rival Microsoft pushes its Internet Explorer 9 platform forward and Google continues to accelerate its Chrome browser development.

One of the new security features in Firefox 4 is the Content Security Policy (CSP) effort.

"Content security policy is focused on Cross Site Scripting (XSS) mitigation so it prevents injected scripts from actually running," Brandon Sterne, security program manager at Mozilla, told InternetNews.com. "The site gets to declare a policy that the Firefox browser will then apply to the page and then any content that hasn't been blessed by the site won't be loaded or executed."

Sterne noted that in addition to helping to prevent XSS, the CSP system will also help to mitigate clickjacking attacks as well. In clickjacking, an attacker embeds a login for a site on a third-party site where it doesn't belong, which then enables the attacker to get access he or she shouldn't have. CSP is designed to limit the risk of clickjacking attacks by letting site administrators set a policy specifying where their site content may be framed and where it can't.

In addition to the XSS prevention capabilities with CSP, Mozilla is also providing a reporting mechanism for CSP violations.

"It's an early warning system that is built into CSP, so a site can specify a URI that will be pinged when violations occur," Sterne said.

Additionally Sterne explained that sites can choose to enable a report-only mode for CSP.

"So for sites that don't want to turn all of CSP on, they can generate a policy, run it in report-only mode so that nothing will be blocked -- but they will get notification of violations," Sterne said.

With CSP, Sterne said Mozilla is trying to build the technology to become a W3C specification that all browsers could choose to benefit from. Johnathan Nightingale, director of Firefox at Mozilla told InternetNews.com that Mozilla has already had some interest from Microsoft and Google about CSP.

In terms of getting Web developers to use CSP, Sterne noted that Mozilla is working on documentation and resources to help enable adoption.

History security

Firefox 4 will also provide users with a fix for a long standing flaw in CSS that can enable attackers to identify the sites users have visited. An attacker could potentially leverage the information about a user's site visits as part of a broader attack.

The solution that Firefox 4 is implementing is such that the individual user will still be able to see based on color which links have been visited, but external websites will not.

Sid Stamm security researcher at Mozilla told InternetNews.com that all links will look unvisited to websites and scripts beyond the user's own web browser.

He added that users today can just turn off visited links, but with the new feature in Firefox 4, Mozilla is giving users another option to help protect their privacy.

General availability of Firefox 4 is set for the end of the year.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.