Roadblocks erected against untrusted content and unwanted ads
Mozilla has added a number of security features that collectively serve to bolster the security of its Firefox browser.
Potentially insecure HTTP downloads from HTTPS page will be blocked by default by Firefox 93, which started to land on user’s desktops as a stable branch release yesterday (October 5).
In addition, downloads initiated from sandboxed iframes will be blocked, unless the 'allow-downloads' attribute is set.
Firefox 93 also disables Triple DES by default, deprecating an obsolete encryption algorithm.
Other changes mean that Firefox 93 debuts improved privacy protections with SmartBlock 3.0.
If Private Browsing and Strict Tracking Protection are engaged, the SmartBlock will block third-party scripts, images, and other content from “cross-site tracking companies reported by Disconnect”.
This is not an ad blocking technology as such, but rather an approach that blocks tracking technologies used by some ad slingers, as explained in another blog post by Mozilla.
The latest version of the open source browser also features new referrer tracking protections that mean Firefox 93 will prevent websites from downgrading referrer policies for cross-site requests when Strict Tracking Protection and Private Browsing is activated.
The browser will also trim the HTTP referrer for cross-site requests, regardless of the website’s settings.
Gareth Hayes, a browser technology security expert and security researcher at PortSwigger, the parent company of The Daily Swig, welcomed Mozilla's browser security improvements.
"These are good changes, sandboxed iframes are often used to embed untrusted content - usually adverts," Hayes commented. "Preventing sandbox iframes from downloading files definitely improves security and prevents malicious adverts from forcing a download on the user."
The security researcher continued: "Blocking HTTP downloads is another good feature because someone on the same network could change your download."
Stricter referrer controls will also improve user privacy for Firefox users, according to Hayes, tightening up features that debuted with Firefox 87.
Hayes explained: "The referrer change is also good for security, any cross-site requests in Firefox 93 will not send the full referrer. This means, for example, that when you search for something on a web site and click a link to another site it cannot see the query you did on the other site by looking at the referrer."
Released yesterday (October 5), Firefox 93 comes bundled with several security fixes, including mitigations for a use-after-free bug in MessageTask, along with several high-severity memory safety issues.
YOU MAY ALSO LIKE Safari adds strict CSP support, catches up with other leading browsers