mozilla

Revision 138392 of Security changes in Firefox 3.5

  • Revision slug: Security_changes_in_Firefox_3.5
  • Revision title: Security changes in Firefox 3.5
  • Revision id: 138392
  • Created:
  • Creator: Sheppy
  • Is current revision? No
  • Comment 76 words added

Revision Content

{{ fx_minversion_header("3") }}

{{ draft() }}

This article covers security-related changes in Firefox 3.1.

Changes to chrome registration

A security hole was closed in order to prevent remote content to be used as chrome.  This could impact any add-on that included a resource in their chrome.manifest file that referenced a file on the web.

Fixing this bug was accomplished by adding a new URI_IS_LOCAL_RESOURCE flag to the {{ interface("nsIProtocolHandler") }} interface that indicates that the protocol is safe to register as chrome.  Any add-on that creates its own protocol handler and tries to register it in its chrome.manifest file will have to use this flag in order to work correctly.

Private browsing

Firefox 3.1 implements private browsing, a mode in which cookies, history, and other potentially private information isn't saved permanently on the user's computer.  Extensions and other add-ons may support the private browsing feature, detecting when it's in use so they can avoid saving private information while private browsing mode is enabled.  See Supporting private browsing mode for details.

New certificate error page

In previous versions of Firefox 3.1, SSL certificate errors resulted in the presentation of the standard network error page, about:neterror, in the browser window.  Starting in Firefox 3.1, there is a new error page, about:certerror, which is displayed instead.  The error URL is formatted like this:

about:certerror?e=error&u=url&d=desc

See also

Revision Source

<p>{{ fx_minversion_header("3") }}</p>
<p>{{ draft() }}</p>
<p>This article covers security-related changes in Firefox 3.1.</p>
<h2>Changes to chrome registration</h2>
<p>A security hole was closed in order to prevent remote content to be used as chrome.  This could impact any add-on that included a resource in their <code>chrome.manifest</code> file that referenced a file on the web.</p>
<p>Fixing this bug was accomplished by adding a new <code>URI_IS_LOCAL_RESOURCE</code> flag to the {{ interface("nsIProtocolHandler") }} interface that indicates that the protocol is safe to register as chrome.  Any add-on that creates its own protocol handler and tries to register it in its <code>chrome.manifest</code> file will have to use this flag in order to work correctly.</p>
<h2>Private browsing</h2>
<p>Firefox 3.1 implements private browsing, a mode in which cookies, history, and other potentially private information isn't saved permanently on the user's computer.  Extensions and other add-ons may support the private browsing feature, detecting when it's in use so they can avoid saving private information while private browsing mode is enabled.  See <a class="internal" href="/En/Supporting_private_browsing_mode" title="En/Supporting private browsing mode">Supporting private browsing mode</a> for details.</p>
<h2>New certificate error page</h2>
<p>In previous versions of Firefox 3.1, SSL certificate errors resulted in the presentation of the standard network error page, <code>about:neterror</code>, in the browser window.  Starting in Firefox 3.1, there is a new error page, <code>about:certerror</code>, which is displayed instead.  The error URL is formatted like this:</p>
<p><code>about:certerror?e=error&amp;u=url&amp;d=desc</code></p>
<h2>See also</h2>
<ul> <li><a class="internal" href="/en/Firefox_3.1_for_developers" title="En/Firefox 3.1 for developers">Firefox 3.1 for developers</a></li>
</ul>
Revert to this revision