Security Articles
-
Behind the Scenes Hardening Firefox with Claude Mythos Preview
Two weeks ago we announced that we had identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models. In this post, we’ll go into more detail about how we approached this work, what we found, and advice for other projects on making […]
-
Trustworthy JavaScript for the Open Web
The open web is a critical platform for applications that handle highly sensitive data, from private communications to financial transactions and medical records. Traditionally, servers are trusted to deliver the appropriate code and resources for their web applications to browsers, who then provide a secure and isolated environment for their execution. In some circumstances, this […]
-
Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148
Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized security enhancing API, advancing a safer web for everyone. We […]
-
CRLite: Fast, private, and comprehensive certificate revocation checking in Firefox
Firefox is now the first and the only browser to deploy fast and comprehensive certificate revocation checking that does not reveal your browsing activity to anyone (not even to Mozilla). Tens of millions of TLS server certificates are issued each day to secure communications between browsers and websites. These certificates are the cornerstones of ubiquitous […]
-
Getting lively with Firefox 90
As the summer rolls around for those of us in the northern hemisphere, temperatures are high and unwinding with a cool ice tea is high on the agenda. Isn't it lucky then that Background Update is here for Windows, which means Firefox can update even if it's not running. We can just sit back and relax! Also this release we see a few nice JavaScript additions, including private fields and methods for classes, and the at() method for Array, String and TypedArray global objects. This blog post just provides a set of highlights.
-
Eliminating Data Races in Firefox – A Technical Report
We successfully deployed ThreadSanitizer in the Firefox project to eliminate data races in our remaining C/C++ components. In the process, we found several impactful bugs and can safely say that data races are often underestimated in terms of their impact on program correctness. We recommend that all multithreaded C/C++ projects adopt the ThreadSanitizer tool to enhance code quality.
-
Browser fuzzing at Mozilla
Mozilla has been fuzzing Firefox and its underlying components for a while. It has proven itself to be one of the most efficient ways to identify quality and security issues. In general, we apply fuzzing on different levels: there is fuzzing the browser as a whole but a significant amount of time is also spent on fuzzing isolated code (e.g. with libFuzzer) or even whole components such as the JS engine using separate shells with various fuzzers. For the purpose of this blog post, we will talk specifically about browser fuzzing only, and go into detail on the pipeline we’ve developed.
-
Changes to SameSite Cookie Behavior – A Call to Action for Web Developers
Browsers are changing the default value of the
SameSiteattribute for cookies fromNonetoLax. This will greatly improve security for users. However, some web sites may depend (even unknowingly) on the old default, potentially resulting in site breakage. At Mozilla, we are slowly introducing this change. And we urge web developers to test their sites with the new default. -
Safely reviving shared memory
At Mozilla, we want the web to be capable of running high-performance applications so that users and content authors can choose the safety, agency, and openness of the web platform. Shared-memory multi-threading is an essential low-level building block for high-performance applications. However, keeping users safe is paramount, which is why shared memory and high-resolution timers were effectively disabled at the start of 2018, in light of Spectre. Until now...
-
Securing Gamepad API
As part of Mozilla’s ongoing commitment to improve the privacy and security of the web platform, over the next few months, we will be making some changes to the Gamepad API. Starting with Firefox 81, the Gamepad API will be restricted to what are known as “secure contexts.”
