Mozilla this week announced a reduced attack surface for code injection in Firefox through the removal of potentially dangerous artifacts such as occurrences of inline scripts and eval()-like functions.
The first codebase change impacts the built-in about:pages that Firefox ships with, and which were designed to provide an interface to the internal state of the browser. about:config is the best known of them, designed to help Firefox users customize the browser.
Given that these about: pages are implemented using HTML and JavaScript, they are prone to the same vulnerabilities as regular web pages, and are not safe from code injection attacks either.
Thus, if an attacker can inject code into an about: page, they can potentially execute the code in the security context of the browser itself, ultimately being able to perform arbitrary actions on the behalf of the user.
Now, Mozilla says they rewrote all inline event handlers and moved all inline JavaScript code to packaged files for all of the 45 about: pages in Firefox.
The result was the ability to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:,’ which prevents injected JavaScript code from executing.
“Instead JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol. Not allowing any inline script in any of the about: pages limits the attack surface of arbitrary code execution and hence provides a strong first line of defense against code injection attacks,” Mozilla content security tech lead Christoph Kerschbaumer explains.
The second change in Firefox impacts the JavaScript function eval(), which parses and executes an arbitrary string in the same security context as itself. While it allows for the execution of runtime-generated code and that of code stored in non-script locations, it also introduces attack surface for code injection.
“To further minimize the attack surface in Firefox and discourage the use of eval() we rewrote all use of ‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of ‘eval()’ and its relatives in system-privileged script contexts,” Kerschbaumer notes.
While making these changes, Mozilla also discovered that there were some calls to eval() outside of their codebase, due to an older mechanism that allowed users to execute their own JavaScript in the context of the browser.
The feature was meant for customizations at startup time, but is now considered a security risk. The mechanism has been removed, but users started using some other tricks to achieve the same customizations, including the use of eval. Thus, Firefox will disable the blocking mechanism and allow usage of eval() when such tricks are detected.
The eval() assertions will continue to inform the Mozilla Security Team of unknown instances of eval(), which will be closely audited and evaluated, and possibly restricted as the Firefox Security Landscape is hardened.
Related: DNS-over-HTTPS Coming to Firefox