Connect with us

Hi, what are you looking for?


Application Security

Firefox 90 Adds Cross-Origin Protections, Advanced Tracker Blocker

Mozilla this week pushed Firefox 90 to the stable channel with several security improvements, including better protections against cross-origin threats and an advanced tracker blocking mechanism.

Mozilla this week pushed Firefox 90 to the stable channel with several security improvements, including better protections against cross-origin threats and an advanced tracker blocking mechanism.

The open-source browser refresh is currently rolling out with support for Fetch Metadata Request Headers, which means that web applications can better protect users against cross-site request forgery (CSRF), cross-site leaks (XS-Leaks), and speculative cross-site execution side channel attacks (such as Spectre).

With the newly introduced feature, web application servers can distinguish between same-origin and cross-origin requests, allowing them to reject or ignore malicious requests based on the information delivered in  Sec-Fetch-* HTTP request headers.

“In total there are four different Sec-Fetch-* headers: Dest, Mode, Site and User which together allow web applications to protect themselves and their end users against the previously mentioned cross-site attacks,” Mozilla explained.

[ Related: Firefox 88 Combats Cross-Site Tracking to Improve User Privacy ]

The open-source group is also planning to introduce a new Site Isolation Security Architecture to address some of the aforementioned issues, yet the newly introduced mechanism is meant to provide web applications of all types with a defense in depth mechanism.

Firefox 90 also arrives with a new version of SmartBlock, the tracker blocking mechanism that Firefox Private Browsing and Strict Mode offer. The updated mechanism now allows users to login with Facebook on the websites they want, while still blocking other Facebook scripts and ensuring increased privacy protection.

Advertisement. Scroll to continue reading.

“SmartBlock 2.0 provides this new capability on numerous websites. On all websites where you haven’t signed in, Firefox continues to block scripts from Facebook that would be able to track you. That’s right — you don’t have to choose between being protected from tracking or using Facebook to sign in,” Mozilla added.

In addition to these new security features, Firefox 90 brings patches for a total of 9 vulnerabilities, including five rated high severity and four medium risk. These include a use-after-free bug, an out-of-bounds write, a use-after-free in an outdated library, override-able HSTS errors, the ability to overlay text on top of other websites, various memory safety bugs, and two vulnerabilities specific to Android only.

In a separate advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged both users and system administrators to review Firefox 90’s release notes and update to the new browser release as necessary.

“Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Firefox 88 Combats Cross-Site Tracking to Improve User Privacy

Related: New Firefox Feature Ups the Ante Against Cookie-Based Tracking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...