Category Archives: firefox

Content Security Policy; Great! or Wait?

A couple of days ago I had another look at Content Security Policy, a technology that allows a site to tell a browser resources are allowed to be loaded to protect against XSS and some other types of web application vulnerabilities. CSP was originally devised by the Firefoxians, but is in the process of being standardized by the W3C with support in Firefox, Chrome, Safari and even the upcoming Internet Explorer 10.

Great!
The functionality offered by CSP (blocking requests that are not allowed) is pretty close to what WP DoNotTrack tries to do, so I decided I’d try to integrate CSP in my plugin, based on the following assumptions:

  • CSP-mode will only work for WP DoNotTrack if it is configured to use a whitelist
  • As most WordPress+plugins installations are bound to have pages with at least inline JavaScript and/or style, I have to add “unsafe-inline” to allow those to continue to work (which indeed limits the level of protection against XSS-attacks)
  • Given that a lot (most?) WordPress installations implement WP Super Cache of W3 Total Cache, it will -at least in a first stage- only kick in if WP  DoNotTrack is configured to filter unconditionally
  • Ideally the JavaScript-based component of WP DoNotTrack would “see” that CSP was activated and would not perform those nifty JavaScript AOP trickery

The “proof of concept”-quality code I ended up adding to wp-donottrack.php was pretty simple:

function wp_donottrack_csp() {
 global $listmode;
 if ($listmode==="1") {
  $whitelist=wp_donottrack_getWhiteList(true);
  $csp="default-src 'self' 'unsafe-inline'";

  if (is_array($whitelist)) {
   foreach ($whitelist as $white) {
    $csp.=" *.".$white;
   }
  }

  header("X-Content-Security-Policy: " . $csp); //FF & MSIE10
  header("Content-Security-Policy: ". $csp); //new standard
  header("X-WebKit-CSP: " . $csp); //chrome & safari
 }
}

add_action('init', 'wp_donottrack_csp', 10, 0);

Wait?
With this code on my testblog I started playing around in a couple of browsers. Based on that experience I found the following limitations:

So in this particular context (and specifically the absolute need for “unsafe-inline”), I’ve decided to hold off implementing CSP (I might implement iFrame sandboxing as support for that is coming with IE10 and will probably also land in Firefox 17). But if you have full control over a particular website or -application (meaning you can remove all inline JavaScript and CSS and all instances of evals in insourced JavaScript) and you want to harden your installation to stop cross-site scripting, you really should start thinking about implementing CSP (as Twitter seems to have done already)!

Firefox preferences for greater privacy

Although browser addons such as NoScript and Ghostery (which is cross-browser with some limitations) provide great protection against tracking, some people prefer not to have to install plugins. Firefox does have configuration options to somewhat limit what trackers can do. You can follow the knowledge base article here to learn how to disable 3rd party cookies (the default setting in Safari, which Google was caught circumventing).

If you’re up to it, you also simply open up the almighty “about:config” and tinker with the following settings (some of which aren’t available in the browser UI):

  • network.cookie.cookieBehavior with values:
    • “0”: allow all cookies (default)
    • “1”: don’t allow 3rd party cookies
    • “2”: don’t allow any cookies
  • network.cookie.thirdparty.lifetimePolicy with values:
    • “0”: keep cookies for as long as the server asks
    • “1”: ask the user on each and every cookie set (try it out if only for fun, you’d be surprise how much cookies are set)
    • “2”: cookie gets deleted when you close your browser (i.e. at the end of the session)
    • “3”: cookies have a lifetime as defined in the “network.cookie.lifetime.days ” preference
  • network.cookie.thirdparty.sessionOnly: set to “true” or “false”
  • privacy.donottrackheader.enabled: set to “false” (default) or “true”, which gently asks sites not to track you

Setting “network.cookie.thirdparty.sessionOnly” to “true” is a low-impact change which should stop tracking-companies (think Media6degrees or Quantcast) from following you around the web.

If you want to stop Facebook, Google & Co to stop tracking you around the web as well, the above setting will not suffice. You should either log out of their sites as soon as you’ve done your business there or set “network.cookie.cookieBehavior” to “1” (which will break their “social widgets”). Or you can install Ghostery or NoScript, off course.

Iframe sandboxing support coming soonish

Did you know you can limit the damage an iframe can do by adding the “sandbox” attribute? And that you can add a value to that attribute to loosen your grip if you choose to do so?

I remember reading about this a couple of years ago or so, but forgot as  support for this html5 spec was limited to Chrome (Apple added support in Safari as well). But while investigating a problem a WP DoNotTrack-user was facing, I re-discovered iframe sandboxing (it effectively stopped the javascript-based tracking inside the iframe) and noticed that support for it is to be included in Internet Explorer 10 and that Mozilla is finally working on an implementation as well.

So yeah, the option to sandbox iframe’s pointing to blacklisted (or non-whitelisted) hostnames will probably be in a future version of WP DoNotTrack. Stay tuned!

Firefox 6 on Ubuntu Linux swapping like crazy

Firefox 6 got pushed on my Ubuntu 11.04 netbook as an update a couple of days ago and things were badly broken; memory usage was skyrocketing, the kswapd was eating almost all CPU and the system was pretty much in a continuous wait-state.

After some cursing and a lot of Scroogling, I finally stumbled across this blogpost which described the exact same problem and advised to set  “layers.acceleration.force-enabled” (which tries to force hardware acceleration, which isn’t supported on Linux by default) back to “false” in about:config. And indeed this small rollback solved my memory-woes. Guess I shouldn’t have dismissed that silly about:config warning message after all.

And while we’re on the subject; Firefox 7 should see substantial improvements in memory usage, yay!

Code Rush: watching Mozilla’s history in the making

A couple of days ago I saw “Code Rush“, a non-fiction movie about life at Netscape while they were in the process of open sourcing their browser in 1998. It’s a great documentary about a defining moment in the history of the web, touching on subjects like code & quality (zarro boogs), the fight with Microsoft, the awkward marriage with AOL, the stock market, technology start-up culture and work versus life.

Netscape Mozilla Documentary 1998 – 2000 ProJect Code Rush – creative common licence

Watch this video on YouTube.

Open sourcing Communicator didn’t save Netscape as a company, but it did allow the Mozilla Organization to create a whole new browser suite based on XUL and NGlayout (later Gecko), which were 2 important building blocks for Phoenix, a standalone browser (instead of a suite) which we now know as Firefox.

Code Rush aired in 2000 on PBS in the States, but was released under a Creative Commons license in 2009. You can check out all footage (and search the transcripts) on clickmovement.org.

Fire and Fox don’t make no Firefox

Apparently the Firefox-brand is  that strong that some want to be associated with it. But I’m not sure Mozilla (the not-for-profit or the corp) is fine with the blatant … “re-use” of their artwork.

The irony; Fox security offers fire- & theft-detection. But never mind, we’ve got Firefox 4 (beta7) to look forward to, haven’t we?

But how unstable is Flash really?

You probably read that  Steve Jobs officially declared Flash a stability nightmare and that Adobe’s CEO responded that OS X is to blame. Hard to take sides in this blame-game, especially without access to Apple’s crash reports data. We do, however, have access to Mozilla’s crash-stats.mozilla.com. Could those figures provide us with at least some relevant statistics about Flash’s reliability?

I imported this csv-file with the top 300 crashers for Firefox 3.6.3 for the last 50 days (3.6.3 was released on April 1th) into a Google Docs spreadsheet and counted the number of crashes for each line where “Flash” or “NPSWF32” is in the signature (SUMIF without wildcard characters, seriously Google!?). You can find the spreadsheet here, but these are the results:

total number crash reports for top 300 crashers:3583582
crash reports with “NPSWF32” or “Flash” in signature:1154488
flash-related crashes %:32.22%

That’s right; almost 1/3 of the Firefox 3.6.3 “top crashers” are clearly related to Flash! So yes, there is good reason to consider plugins in general and Flash in particular a stability risk for Firefox. And for the record, the numbers for Mac seem to indicate that the problem is even (much) worse there! So hurray for Firefox 3.6.4 with Out of Process Plugins! And hey Adobe, get your Flash together!