Hardening the Firefox frontend

Tom Schuster, Frederik Braun, and Christoph Kerschbaumer havepublished an articleon the Firefox Security team's Attack & Defenseblog that explains recent work to harden Firefox's frontend code.

We have rewritten over 600 JavaScript event handlers to mitigate XSSand other injection attacks in the main Firefox user interface. Thismitigation will ship in Firefox 138. However, blocking the executionof scripts in the parent process is not the end - we will expand thistechnique to other contexts in the near future. There is still morework to do as the UI requires JavaScript APIs with a high level ofprivileges. However: We still eliminated a whole class of attacks,significantly raising the bar for attackers to exploit Firefox.