One of the many ways that attackers use to get their malicious code onto users’ machines is by using drive-by downloads. They often will compromise benign sites and use them to load malicious content in users’ browsers, and now Mozilla is making a ket change to its Firefox browser in an effort to make security checks on content loaded by browsers more efficient and effective.
The company is moving from a model in which pre-load security checks are distributed throughout the Firefox code base, to one in which they’re performed by a central function that’s enforced by default. Right now, Firefox enforces security checks such as Content Security Policy, Content Blocking, and Same Origin Policy through the Gecko layout engine. The engine performs those checks before the Necko API requests a recourse over the network.
“The downside of this legacy architecture is, that all the different subsystems in Gecko need to perform their own security checks before resources are requested over the network. For example, ImageLoader as well as ScriptLoader have to opt into the relevant security checks before initiating a GET request of the image or script to be loaded, respectively. Even though systematic security checks were always performed, those security checks were sprinkled throughout the codebase,” Christoph Kerschbaumer, a security and privacy engineer at Mozilla, said.
The idea behind the change is to ensure that all of the security checks are performed by default and at the same time, before anything is loaded.
“Instead of performing ad hoc security checks for each network request within Gecko, our implementation enables Gecko to provide information about the load context so Necko can perform the relevant security checks in a centralized manner. Whenever data (script, css, image,…) is about to be requested from the network, our technique creates and attaches an immutable loadinfo-object to every network request which remains assigned to a network load throughout the whole loading process and allows Firefox to provide the same security guarantees for resource loads that encounter a server-side redirect,” Kerschbaumer said.
Image: Akamdar, CC By 2.0 license.