This article covers security-related changes in Firefox 3.5.
A security hole was closed in order to prevent remote content to be used as chrome. This could impact any add-on that included a resource in their
chrome.manifest file that referenced a file on the web.
Fixing this bug was accomplished by adding a new
URI_IS_LOCAL_RESOURCE flag to the
nsIProtocolHandler interface that indicates that the protocol is safe to register as chrome. Any add-on that creates its own protocol handler and tries to register it in its
chrome.manifest file will have to use this flag in order to work correctly.
Firefox 3.5 implements private browsing, a mode in which cookies, history, and other potentially private information isn't saved permanently on the user's computer. Extensions and other add-ons may support the private browsing feature, detecting when it's in use so they can avoid saving private information while private browsing mode is enabled. See Supporting private browsing mode for details.
Plug-ins can detect whether or not private browsing mode is in effect by using the
NPN_GetValue() function to check the current value of the
In previous versions of Firefox 3, SSL certificate errors resulted in the presentation of the standard network error page,
about:neterror, in the browser window. Starting in Firefox 3.5, there is a new error page,
about:certerror, which is displayed instead. The error URL is formatted like this:
Embedders needing to provide custom certificate error pages can now do so by supplying their own
about: page implementation, and setting the
security.alternate_certificate_error_page preference to the appropriate page name (e.g.