Security Articles
-
WebSocket disabled in Firefox 4
Recent discoveries found that the protocol that Websocket works with is vulnerable to attacks. Adam Barth demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the browser and the Internet. This is a serious threat to the Internet and Websocket and not a […]
-
Firefox 4: HTTP Strict Transport Security (force HTTPS)
This article is about a new HTTPS header: Strict-Transport-Security, which force a website to be fetched through HTTPS. This feature will be part of Firefox 4. How do you type URLs? Do you prefix them with http:// or https:// systematically? Or do you just type example.com and let your browser add http://, like most of […]
-
Account Manager coming to Firefox
Update: The Account Manager is no longer maintained. Building on this experiment, we have conceived BrowserID. Please consider using it instead. Last month Mozilla Labs announced a new concept series on online identity. As part of this exploration, we developed the Account Manager. The Account Manager makes it incredibly easy for users to create new […]
-
mozilla developer preview 4 ready for testing
Note: this is a re-post of the entry in the Mozilla Project Development Weblog. There’s some juicy stuff in here for Web Developers that need testing. In particular, this is the first build with the CSS history changes. As part of our ongoing platform development work, we’re happy to announce the fourth pre-release of the […]
-
privacy-related changes coming to CSS :visited
For more information about this, have a look at David Baron’s post, the bug and the post on the security blog. For many years the CSS :visited selector has been a vector for querying a user’s history. It’s not particularly dangerous by itself, but when it’s combined with <a href="https://developer.mozilla.org/en/DOM/window.getComputedStyle">getComputedStyle()</a> in JavaScript it means that […]
-
mitigating attacks with content security policy
Firefox support for Content Security Policy (CSP) has been in the news and is now available in test builds for web developers to try. Support for CSP isn’t slated for Firefox 3.6 but is likely to be included in the release after 3.6, mostly likely called 3.7. This post is targeted at web developers and […]
