Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
PSA: Avoid Inline event handlers in the Firefox UI
62 views
Skip to first unread message
Tom Schuster
Jan 8, 2025, 12:57:02 PMJan 8
to dev-pl...@mozilla.org, firef...@mozilla.org
We have seen inline event handlers being used as a tool for gaining
code execution in the parent process, e.g. during Pwn2Own. To prevent
this going forward we removed all inline event handlers from
browser.xhtml and since today they are also actively being blocked in
Nightly builds [1]. We plan on shipping this mitigation to release
versions of Firefox after evaluating the Telemetry results.
Furthermore we ask you to not introduce new inline event handlers in
*any* new UI code, because we are progressively trying to remove them
from all other windows/dialogs [2]. For example the Page Info or
Library window. (As a start we focusing on those windows that show
data coming from the web)
If you are writing or using a modified version of Firefox (e.g.
userChrome JS) you have two options:
- Rewrite your code to add event handlers using `addEventListener()`
rather than in HTML.
- Disable the pref (security.browser_xhtml_csp.enabled) and be
unprotected against potential attacks. However we can’t guarantee that
this pref will exist forever.
Thank you
Tom
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1937080
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1935985
code execution in the parent process, e.g. during Pwn2Own. To prevent
this going forward we removed all inline event handlers from
browser.xhtml and since today they are also actively being blocked in
Nightly builds [1]. We plan on shipping this mitigation to release
versions of Firefox after evaluating the Telemetry results.
Furthermore we ask you to not introduce new inline event handlers in
*any* new UI code, because we are progressively trying to remove them
from all other windows/dialogs [2]. For example the Page Info or
Library window. (As a start we focusing on those windows that show
data coming from the web)
If you are writing or using a modified version of Firefox (e.g.
userChrome JS) you have two options:
- Rewrite your code to add event handlers using `addEventListener()`
rather than in HTML.
- Disable the pref (security.browser_xhtml_csp.enabled) and be
unprotected against potential attacks. However we can’t guarantee that
this pref will exist forever.
Thank you
Tom
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1937080
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1935985
Reply all
Reply to author
Forward
0 new messages