Mozilla has disabled the execution of inline JavaScripts on Firefox as a defense against code injection attacks, by implementing strict Content Security Policies (CSP) that ensure all scripts are executed only when loaded from a packaged resource within the internal protocol.
The execution of inline scripts and also the potentially dangerous eval-like functions for Firefox inbuilt "about: pages" have often served as gateway to very sensitive preferences and settings on the browser, which in turn presents huge security risks. So Mozilla's blockade is an effort to mitigate such class of potential cross-site scripting (XSS) issues in the browser.
And given that web pages are written in HTML/JavaScript which in the security context of the browser, are also prone to such code injection attacks, and fully capable of allowing remote attackers to inject and execute arbitrary code by cross-site scripting attacks.
Albeit, the changes won't directly affect how websites work on the Firefox browser, but according to Mozilla, it will closely audit and evaluate the usage of harmful functions in third-party extensions and other inbuilt mechanisms.
Mozilla has promptly rewritten all use of eval-like functions from the system privileged contexts and parent processes in the codebase of Firefox browser. Additionally, the company has also added eval() assertions to disallow the use of eval() function and its derivatives in system-privileged script contexts.
No comments