Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Firefox 90 Adds Cross-Origin Protections, Advanced Tracker Blocker

Mozilla this week pushed Firefox 90 to the stable channel with several security improvements, including better protections against cross-origin threats and an advanced tracker blocking mechanism.

Mozilla this week pushed Firefox 90 to the stable channel with several security improvements, including better protections against cross-origin threats and an advanced tracker blocking mechanism.

The open-source browser refresh is currently rolling out with support for Fetch Metadata Request Headers, which means that web applications can better protect users against cross-site request forgery (CSRF), cross-site leaks (XS-Leaks), and speculative cross-site execution side channel attacks (such as Spectre).

With the newly introduced feature, web application servers can distinguish between same-origin and cross-origin requests, allowing them to reject or ignore malicious requests based on the information delivered in  Sec-Fetch-* HTTP request headers.

“In total there are four different Sec-Fetch-* headers: Dest, Mode, Site and User which together allow web applications to protect themselves and their end users against the previously mentioned cross-site attacks,” Mozilla explained.

[ Related: Firefox 88 Combats Cross-Site Tracking to Improve User Privacy ]

The open-source group is also planning to introduce a new Site Isolation Security Architecture to address some of the aforementioned issues, yet the newly introduced mechanism is meant to provide web applications of all types with a defense in depth mechanism.

Firefox 90 also arrives with a new version of SmartBlock, the tracker blocking mechanism that Firefox Private Browsing and Strict Mode offer. The updated mechanism now allows users to login with Facebook on the websites they want, while still blocking other Facebook scripts and ensuring increased privacy protection.

“SmartBlock 2.0 provides this new capability on numerous websites. On all websites where you haven’t signed in, Firefox continues to block scripts from Facebook that would be able to track you. That’s right — you don’t have to choose between being protected from tracking or using Facebook to sign in,” Mozilla added.

In addition to these new security features, Firefox 90 brings patches for a total of 9 vulnerabilities, including five rated high severity and four medium risk. These include a use-after-free bug, an out-of-bounds write, a use-after-free in an outdated library, override-able HSTS errors, the ability to overlay text on top of other websites, various memory safety bugs, and two vulnerabilities specific to Android only.

In a separate advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged both users and system administrators to review Firefox 90’s release notes and update to the new browser release as necessary.

“Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system,” CISA notes.

Related: Firefox 88 Combats Cross-Site Tracking to Improve User Privacy

Related: New Firefox Feature Ups the Ante Against Cookie-Based Tracking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...