Firefox Security Newsletter/FSN-2022-Q4
Hello fellow Mozillians,
Security and Privacy build cornerstones of Mozilla’s manifesto, and they influence how we operate and build our products. Following are the highlights of our work from Q4 2022, grouped into the following categories:
- Firefox Product Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox.
- Core Security, outlining Security and Hardening efforts within the Firefox Platform.
- Fuzzing, providing updates for automated security testing and analysis.
- Web Security, allowing websites to better protect themselves against online threats.
Contents
Preface
Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received their updates. If a link does not work for you, please accept this as a precaution for the safety of all of our users.
Firefox Product Security & Privacy
Safety for New Capabilities with Site Permission Add-Ons: In order to bridge the gap between casual, risk-free browsing and new powerful device APIs, we are experimenting with a new permission pattern: Site Permission Add-Ons allow users to grant access to new APIs for a specific website only. As a first experiment towards that goal, the Web MIDI API is now available in Firefox 108. Calls to navigator.requestMIDIAccess() will prompt users with active MIDI devices to install a Site Permission Add-On, which is required to enable the API.
HTTPS by default in Web Extensions: As part of our goal to make it easier to comply with and enforce existing policies for web extensions, we require all new extensions using manifest version 3 to default all their internal requests to HTTPS. This is implemented as a change in the default Content-Security-Policy, which can be customized in the extension manifest.
Even stricter Storage Access API: Firefox 109 no longer gives third parties access to their unpartitioned Storage permanently partitions Storage in order to align with other browsers and provide better Web compatibility. For example, keeping storage partitioned in cross-site contexts will help us make Service Workers more compatible with Total Cookie Protection and advance our standardization efforts on the Storage Access API.
Clickjacking & Keyboardjacking prevention when using the Clipboard API: Firefox has always gated risky permissions and APIs behind extra steps. As an example, access is sometimes restricted to web pages that have had clear and visible user interaction.
As part of our ongoing improvements, we have reduced the likelihood of websites being able to bypass these restrictions and get access to the clipboard too easily.
Core Security
Improved Crash Reporting: As part of our (opt-in) crash reporting system, we ingest and analyze a lot of stability issues and potential security bugs. As of last quarter, we have improved our crash reporting and analysis and can now properly identify and report crashes on non-canonical addresses in order to get better insights into use-after-free bugs observed in production.
Increased memory safety by removing instances of snprintf: The C++ function snprintf() has been inconsistently implemented across platforms which was a common cause for security bugs even 17 years ago. We have always had an internal replacement function that works better, and as part of our most recent work we have eliminated all usage of non-internal snprintf functions in own and third-party code. This reduces the likelihood for memory safety issues and makes our codebase more consistent.
Fuzzing
Continued Efforts to improve fuzzing techniques: The most noteworthy change is the capability to perform differential testing of our JavaScript JIT-engine, which may compile functionally equivalent code differently based on performance criteria. The resulting code should, however, be free of side-effects in functionality. The foundation for this achievement was provided by community contributor Lukas Bernhard from the Ruhr-University of Bochum. Many thanks! We have also started fuzzing Linux and Windows 32-bit builds. Furthermore, we have improved CSS fuzzing by adding support for the container at-rule and page at-rule with named pages, and expanded support for testing prefixed CSS properties.
Web Security
Advancing our support of the Content Security Policy: Starting with Firefox version 108, Firefox allows websites to better protect themselves against Cross-Site Scripting (XSS) and data injection attacks by supporting the following CSP header directives: style-src-elem and style-src-attr. A server can use these to specify valid sources for stylesheet <style> elements and <link> elements with rel="stylesheet", and for styles applied to individual elements, respectively. Similarly script-src-elem and script-src-attr are now also supported. A server can use these to specify valid sources for JavaScript <script> elements, and for inline script event handlers like onclick.
WebAuthn Level 1 + CTAP2 available behind a pref: WebAuthn is an API that uses public-key cryptography (instead of passwords) for authentication within web applications. CTAP2 (Client To Authenticator Protocol) enables the use of external authenticators, such as a hardware token. We expect to release WebAuthn Level 1 and CTAP2 to all Firefox users soon. Fow now, websites can test this functionality by explicitly flipping the preference security.webauthn.ctap2 to true in about:config.
Going Forward
Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in 2023, please do not forget to add your items to the 2023 Q1 Security & Privacy Newsletter (Collection Document) so that they will show up in the next iteration of the Firefox Security & Privacy newsletter.
In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web,
Christoph, Freddy, Tom