4. At Black Hat on Wednesday, a trio of security representatives from Mozilla detailed how the company plans to push the browser to be more secure for users while nudging developers towards safer coding practices.
Mozilla Security Program Manager Brandon Sterne demonstrated on Wednesday how this ostensibly dull code, which is part of Firefox 4's new Content Security Policy, will make the next-generation browser safer.
One of the biggest fixes that's been implemented in the Firefox 4 beta (Windows
) repairs a hole that affects all browsers, a decade-old vulnerability that was mentioned in the documentation for CSS2. The exploit is a CSS sniffing history attack, where malicious code can gain access to your browser history by manipulating link appearance and style. What made the bug so difficult to repair is that the simplest solution, to prevented all link style manipulation, would be like throwing the baby out with the bathwater said Firefox's director of development, Jonathan Nightingale. Changing an already-visited link's colors is one the most-used features of the Web, and it would be catastrophic to prevent that.
Mozilla's David Baron figured out how