Additional security is always a good thing, right? Mozilla is currently working on a patch that is improving the add-on security of the Firefox web browser. The initial idea appeared on Bugzilla in 2010 and is rather technical in nature. Firefox add-ons currently can expose privileged objects to web content which is something that should not happen in first place as websites may be able to access contents that they should not have access to.
To resolve the issue, Mozilla had the idea that objects had to be whitelisted explicitly by the add-on before web pages can access them.The company has added the feature to Firefox 15 Beta and all other development channels in a non-restrictive way. Instead of blocking access to the object outright, the browser will report any error in the browser's error console. From Firefox 17 on, the whitelisting becomes mandatory in the web browser which may have the consequence that add-ons that you rely on may not work properly anymore if the developer of the extension failed to update it in time to reflect the change. Chance is though that Mozilla may post pone the release in Firefox 17 if too many add-ons turn out to be incompatible at the release date.
It needs to be noted that this affects add-ons that share objects with the content, and that it won't affect add-ons that do not do that. Mozilla is asking developers to look at the error console output of their extensions to make sure it is not throwing error messages. Developers should see a message like "Error: Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated" here in this case.
A new post on the Mozilla blog explains what add-on developers have to change in this case to make sure that their add-on continues to work in Firefox 17.
Mozilla in addition will notify Jetpack author add-ons with information on how to update the add-ons with the most recent version to resolve issues such as memory leaks and security related issues such as this.
If you are a user of the Firefox browser and using at least the beta version, you can check the error log yourself to see if any of your extension will break in Firefox 17. You can open the error console with Ctrl-Shift-J.
If you like our content, and would like to help, please consider making a contribution: