Archived Blog

Firefox 3 Security Features

06.20.2008 - 5:31 PM

Firefox 3 was released a few days ago, breaking the record for the most software downloads in a 24 hour period, and currently sits at 12.5 million downloads. In this blog, we review some interesting security features of this release, and preview how these features work.

eTLD - Effective Top-Level Domains

This security fix restricts broad-domain cookies so that cookies are restricted to a single domain. Cookies have a domain attribute, which you can use to define its use and accessibility. For example, can issue a cookie with The cookie can be used on or any of its sub-domains. However, RFC restrictions prevent abuse of issuing cookies with attributes such as, which would allow use of the cookie on any .com domain. A problem occurs with some countries that have domains such as You can set a cookie that can be used on every Web site. Internet Explorer tried to combat this problem by restricting cookies so that the 2nd level domain has to be greater than two characters (e.g., cannot be used), and blacklisted some other known similar domains. Some other, less known domains are left unprotected by this attempt, such as or A clear, example attack was provided on bugzilla, and can be illustrated as follows:

1) assume a safe site on the domain, such as
2) assume an evil site on the domain, such as
3) if the user visits, it can set a cookie with
4) this cookie is now used on every domain, including

The attacker probably will then use this cookie to authenticate. By creating this list of TLD's, Firefox easily can determine which cookies should be restricted. For example, if is a valid TLD, then restrict all cookies with

Malware & Phishing Protection

Firefox now reports when you attempt to visit an attack site which may steal your information or cause damage to your system or other systems. For example:

Firefox uses the Google Safe Browsing Service/API, which contains lists of malicious pages or phishing sites. Firefox makes a POST request on your behalf to the API, which returns a set of URL hashes. These are either categorized as malware, phishing, or as a whitelisted domain. When a user visits a Web site, a hash is taken of that URL, and then compared against this list to see if access should be granted or denied. The response also contains the update interval, denoting the next time your browser is allowed to request for possible updates.

This protection is as only as good as its blacklist, and while we found that some of the phishing URLs tested were indeed blocked, we found multiple phishing pages that still made it through:

Click here for more details on the Safe Browsing API.

Prevention of Global Object Redeclaration

Firefox 3 is is the only browser with this security feature, as it is the only browser that uses JavaScript v1.8. JavaScript prevents you from re-declaring global objects such as Array. For example, the following JavaScript would cause an error:

function Array(){
  alert("redeclared"); //error

This prevention was implemented due to security concerns of "data leakage." Attackers could access data in JSON requests, such as data residing in an Array type object. Click here to learn about securing JSON.

Restriction of Cross-Site XMLHttpRequest Object

In a previous blog, we indicated that cross-site requests in this manner violate the SOP (Same Origin Policy), and can create some security concerns. However, this feature also opens many opportunities in terms of product development. At the time of writing the previous blog, both Firefox and Internet Explorer had such capabilities. However, the cross-site XHR object was pulled in the final release of Firefox 3. This functionality now only can be used by Firefox extensions, and cannot be used in the standard scripting environment, as described on the Mozilla Dev Center Web page.

Security Researcher: Joren McReynolds


Bookmark This Post: