Security Articles

• 

  Getting lively with Firefox 90

  As the summer rolls around for those of us in the northern hemisphere, temperatures are high and unwinding with a cool ice tea is high on the agenda. Isn't it lucky then that Background Update is here for Windows, which means Firefox can update even if it's not running. We can just sit back and relax! Also this release we see a few nice JavaScript additions, including private fields and methods for classes, and the at() method for Array, String and TypedArray global objects. This blog post just provides a set of highlights.

  Posted on July 13, 2021
• 

  Eliminating Data Races in Firefox – A Technical Report

  We successfully deployed ThreadSanitizer in the Firefox project to eliminate data races in our remaining C/C++ components. In the process, we found several impactful bugs and can safely say that data races are often underestimated in terms of their impact on program correctness. We recommend that all multithreaded C/C++ projects adopt the ThreadSanitizer tool to enhance code quality.

  Posted on April 6, 2021
• 

  Browser fuzzing at Mozilla

  Mozilla has been fuzzing Firefox and its underlying components for a while. It has proven itself to be one of the most efficient ways to identify quality and security issues. In general, we apply fuzzing on different levels: there is fuzzing the browser as a whole but a significant amount of time is also spent on fuzzing isolated code (e.g. with libFuzzer) or even whole components such as the JS engine using separate shells with various fuzzers. For the purpose of this blog post, we will talk specifically about browser fuzzing only, and go into detail on the pipeline we’ve developed.

  Posted on February 9, 2021
• 

  Changes to SameSite Cookie Behavior – A Call to Action for Web Developers

  Browsers are changing the default value of the SameSite attribute for cookies from None to Lax. This will greatly improve security for users. However, some web sites may depend (even unknowingly) on the old default, potentially resulting in site breakage. At Mozilla, we are slowly introducing this change. And we urge web developers to test their sites with the new default.

  Posted on August 4, 2020
• 

  Safely reviving shared memory

  At Mozilla, we want the web to be capable of running high-performance applications so that users and content authors can choose the safety, agency, and openness of the web platform. Shared-memory multi-threading is an essential low-level building block for high-performance applications. However, keeping users safe is paramount, which is why shared memory and high-resolution timers were effectively disabled at the start of 2018, in light of Spectre. Until now...

  Posted on July 21, 2020
• 

  Securing Gamepad API

  As part of Mozilla’s ongoing commitment to improve the privacy and security of the web platform, over the next few months, we will be making some changes to the Gamepad API. Starting with Firefox 81, the Gamepad API will be restricted to what are known as “secure contexts.”

  Posted on July 1, 2020
• 

  Fuzzing Firefox with WebIDL

  Fuzzing, or fuzz testing, is an automated approach for testing the safety and stability of software. For the past 3 years, the Firefox fuzzing team has been developing a new fuzzer to identify security vulnerabilities in the implementation of WebAPIs in Firefox. This fuzzer leverages the WebAPIs’ own WebIDL definitions as a fuzzing grammar.

  Posted on April 30, 2020
• 

  Twitter Direct Message Caching and Firefox

  Distinguished engineer Martin Thomson explains how this problem occurred, the implications for people who might be affected, and how problems of this nature might be avoided in future. To get there, we need to dig a little into how web caching works.

  Posted on April 3, 2020
• 

  Security means more with Firefox 74

  The release of Firefox 74 is focused on security enhancements: Feature Policy, the Cross-Origin-Resource-Policy header, and removal of TLS 1.0/1.1 support. We’ve also got some new CSS text property features, the JS optional chaining operator, and additional 2D canvas text metric features, along with the usual wealth of DevTools enhancements and bug fixes.

  Posted on March 10, 2020
• 

  Securing Firefox with WebAssembly

  Protecting the security and privacy of individuals is a central tenet of Mozilla’s mission. While we continue to make extensive use of both sandboxing and Rust in Firefox to address security challenges in the browser, each has its limitations. Today we’re adding a third approach to our arsenal. RLBox, a new sandboxing technology developed by researchers at the University of California, San Diego, and the University of Texas, Austin, allows us to quickly and efficiently convert existing Firefox components to run inside a WebAssembly sandbox.

  Posted on February 25, 2020