mozilla

Revision 138393 of Security changes in Firefox 3.5

  • Revision slug: Security_changes_in_Firefox_3.5
  • Revision title: Security changes in Firefox 3.5
  • Revision id: 138393
  • Created:
  • Creator: Johnath
  • Is current revision? No
  • Comment 43 words added, 2 words removed

Revision Content

{{ fx_minversion_header("3") }}

{{ draft() }}

This article covers security-related changes in Firefox 3.1.

Changes to chrome registration

A security hole was closed in order to prevent remote content to be used as chrome.  This could impact any add-on that included a resource in their chrome.manifest file that referenced a file on the web.

Fixing this bug was accomplished by adding a new URI_IS_LOCAL_RESOURCE flag to the {{ interface("nsIProtocolHandler") }} interface that indicates that the protocol is safe to register as chrome.  Any add-on that creates its own protocol handler and tries to register it in its chrome.manifest file will have to use this flag in order to work correctly.

Private browsing

Firefox 3.1 implements private browsing, a mode in which cookies, history, and other potentially private information isn't saved permanently on the user's computer.  Extensions and other add-ons may support the private browsing feature, detecting when it's in use so they can avoid saving private information while private browsing mode is enabled.  See Supporting private browsing mode for details.

New certificate error handling

In previous versions of Firefox 3, SSL certificate errors resulted in the presentation of the standard network error page, about:neterror, in the browser window.  Starting in Firefox 3.1, there is a new error page, about:certerror, which is displayed instead.  The error URL is formatted like this:

about:certerror?e=error&u=url&d=desc

Embedders needing to provide custom certificate error pages can now do so by supplying their own about: page  implementation, and setting the security.alternate_certificate_error_page preference to the appropriate page name (e.g. "certerror").

See also

Revision Source

<p>{{ fx_minversion_header("3") }}</p>
<p>{{ draft() }}</p>
<p>This article covers security-related changes in Firefox 3.1.</p>
<h2>Changes to chrome registration</h2>
<p>A security hole was closed in order to prevent remote content to be used as chrome.  This could impact any add-on that included a resource in their <code>chrome.manifest</code> file that referenced a file on the web.</p>
<p>Fixing this bug was accomplished by adding a new <code>URI_IS_LOCAL_RESOURCE</code> flag to the {{ interface("nsIProtocolHandler") }} interface that indicates that the protocol is safe to register as chrome.  Any add-on that creates its own protocol handler and tries to register it in its <code>chrome.manifest</code> file will have to use this flag in order to work correctly.</p>
<h2>Private browsing</h2>
<p>Firefox 3.1 implements private browsing, a mode in which cookies, history, and other potentially private information isn't saved permanently on the user's computer.  Extensions and other add-ons may support the private browsing feature, detecting when it's in use so they can avoid saving private information while private browsing mode is enabled.  See <a class="internal" href="/En/Supporting_private_browsing_mode" title="En/Supporting private browsing mode">Supporting private browsing mode</a> for details.</p>
<h2>New certificate error handling</h2>
<p>In previous versions of Firefox 3, SSL certificate errors resulted in the presentation of the standard network error page, <code>about:neterror</code>, in the browser window.  Starting in Firefox 3.1, there is a new error page, <code>about:certerror</code>, which is displayed instead.  The error URL is formatted like this:</p>
<p><code>about:certerror?e=error&amp;u=url&amp;d=desc</code></p>
<p>Embedders needing to provide custom certificate error pages can now do so by supplying their own <code>about:</code> page  implementation, and setting the <code>security.alternate_certificate_error_page</code> preference to the appropriate page name (e.g. <code>"certerror</code>").</p>
<h2>See also</h2>
<ul> <li><a class="internal" href="/en/Firefox_3.1_for_developers" title="En/Firefox 3.1 for developers">Firefox 3.1 for developers</a></li>
</ul>
Revert to this revision