Firefox 90 Adds Cross-Origin Protections, Advanced Tracker Blocker

Mozilla this week pushed Firefox 90 to the stable channel with several security improvements, including better protections against cross-origin threats and an advanced tracker blocking mechanism.

The open-source browser refresh is currently rolling out with support for Fetch Metadata Request Headers, which means that web applications can better protect users against cross-site request forgery (CSRF), cross-site leaks (XS-Leaks), and speculative cross-site execution side channel attacks (such as Spectre).

With the newly introduced feature, web application servers can distinguish between same-origin and cross-origin requests, allowing them to reject or ignore malicious requests based on the information delivered in  Sec-Fetch-* HTTP request headers.

“In total there are four different Sec-Fetch-* headers: Dest, Mode, Site and User which together allow web applications to protect themselves and their end users against the previously mentioned cross-site attacks,” Mozilla explained.

[ Related: Firefox 88 Combats Cross-Site Tracking to Improve User Privacy ]

The open-source group is also planning to introduce a new Site Isolation Security Architecture to address some of the aforementioned issues, yet the newly introduced mechanism is meant to provide web applications of all types with a defense in depth mechanism.

Firefox 90 also arrives with a new version of SmartBlock, the tracker blocking mechanism that Firefox Private Browsing and Strict Mode offer. The updated mechanism now allows users to login with Facebook on the websites they want, while still blocking other Facebook scripts and ensuring increased privacy protection.

“SmartBlock 2.0 provides this new capability on numerous websites. On all websites where you haven’t signed in, Firefox continues to block scripts from Facebook that would be able to track you. That’s right — you don’t have to choose between being protected from tracking or using Facebook to sign in,” Mozilla added.

In addition to these new security features, Firefox 90 brings patches for a total of 9 vulnerabilities, including five rated high severity and four medium risk. These include a use-after-free bug, an out-of-bounds write, a use-after-free in an outdated library, override-able HSTS errors, the ability to overlay text on top of other websites, various memory safety bugs, and two vulnerabilities specific to Android only.

In a separate advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged both users and system administrators to review Firefox 90’s release notes and update to the new browser release as necessary.

“Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Firefox 88 Combats Cross-Site Tracking to Improve User Privacy

Related: New Firefox Feature Ups the Ante Against Cookie-Based Tracking