Security Articles
-
Firefox OS Security: Part 1 – The Web Security Model
When presenting Firefox OS to people, security is a big topic. Can an operating system built on web technologies be secure? What has Mozilla built in to avoid drive-by downloads and malware? In this two part video series Christian Heilmann (@codepo8), principal evangelist of Mozilla, talks to Michael Coates (@_mwc), chair of @OWASP Board about […]
-
An interesting way to determine if you are logged into social web sites
Do you remember the trick how to find out that you went to certain web sites by analysing link colour (now patched in Firefox)? There is much your browser tells about you if you just create a few HTML elements. Mike Cardwell has found an interesting way to detect if you are logged into social […]
-
An overview of Containers for add-on developers
Containers work by giving users the ability to place barriers on the flow of data across sites by isolating cookies, indexedDB, localStorage, and caches within discrete browsing contexts. This in-depth introduction to Containers and Container extensions explores the capabilities of Containers and contextual identity for developers.
-
Login Forms over HTTPS, Please
Update: This feature is now also enabled in Firefox Beta, starting with Firefox Beta 50. Pretty much everyone who uses the web has used a password to log into something. And pretty much everyone who has used a password has put that password at risk by entering it into an insecure form. In Firefox 46 […]
-
How to implement SRI in your build process
Imagine getting a call from a customer who says your website is serving malware. Your heart drops, you start sweating, and then the tweets start pouring in. Something is up. You find out your systems have not been tampered with. In fact, it was your CDN provider that got hacked, and the scripts you included […]
-
Implementing Content Security Policy
The add-ons team recently completed work to enable Content Security Policy (CSP) on addons.mozilla.org (AMO). This article is intended to cover the basics of implementing CSP, as well as highlighting some of the issues that we ran into implementing CSP on AMO. What is Content Security Policy? Content Security Policy (CSP) is a security standard […]
-
Containers Come to Test Pilot
The Containers feature in Firefox Nightly gives users the ability to place barriers on the flow of data across sites by isolating cookies, indexedDB, localStorage, and caches within discrete browsing contexts. After running the Containers UI through successive rounds of user research and UX iteration, we’ve launched a Containers experiment in Firefox Test Pilot in order to widen the audience for Containers, iterate on the UI, and reason about the future of the feature.
-
Securing Firefox with WebAssembly
Protecting the security and privacy of individuals is a central tenet of Mozilla’s mission. While we continue to make extensive use of both sandboxing and Rust in Firefox to address security challenges in the browser, each has its limitations. Today we’re adding a third approach to our arsenal. RLBox, a new sandboxing technology developed by researchers at the University of California, San Diego, and the University of Texas, Austin, allows us to quickly and efficiently convert existing Firefox components to run inside a WebAssembly sandbox.
-
Using Hardware Token-based 2FA with the WebAuthn API
To provide higher security for logins, websites are deploying two-factor authentication (2FA), often using a smartphone application or text messages. Those mechanisms make phishing harder but fail to prevent it entirely. Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today. The API is available today in Firefox Nightly, and it's not too soon to start learning how to secure millions of users already in possession of FIDO U2F USB tokens.
-
Content Security Policy 1.0 lands in Firefox Aurora
The information in this article is based on work together with Ian Melven, Kailas Patil and Tanvi Vyas. We have just landed support for the Content Security Policy (CSP) 1.0 specification in Firefox Aurora (Firefox 23), available as of tomorrow (May 30th). CSP is a security mechanism that aims to protect a website against content […]