Firefox 79 makes some links more secure

Martin Brinkmann
Jun 25, 2020
Updated • Jun 25, 2020
Firefox
|
22

Mozilla plans to introduce a change in an upcoming version of Firefox Stable that makes the handling of links more secure. The organization introduced an option in Firefox Nightly back in November 2018 that set the link attribute rel="noopener" if target="_blank" is set.

The target="_blank" directive orders the web browser to open the target of the link in a new browser tab; otherwise, the link will be opened in the same tab.

The problem with target="_blank" is that the resource of the link gets full control over the originating window object even if it is a different site. You can check out this -- harmless -- demo of how the linked resource may manipulate content on the originating page.

Basically, it allows the target site to change content on the originating site, e.g. to use it for phishing or to change information on the originating page. A user who switches back to the originating tab might not notice the manipulation.

Advertisers may abuse the functionality as well, e.g. to display advertisement on the linking site.

Webmasters may set rel="noopener" for links to protect users and their sites against any form of manipulation. We set the attribute for all links automatically here on Ghacks, but many sites don't.

Mozilla plans to set rel="noopener" for all links that use target="_blank" from Firefox 79 onward. It is interesting to note that setting rel="noopener" may also improve performance.

Webmasters who want to retain the classic behavior need to set "rel="opener" manually to ensure that the functionality remains active.

Mozilla plans to release Firefox 79 on July 28, 2020 according to the Firefox release schedule. It is unclear why it took so long to get implemented in Firefox Stable.

Apple has introduced the same functionality in the company's Safari browser in March 2019, and Google plans to introduce it in Chrome as well in the future.

Firefox users and other browser users can also install browser extensions such as Don't Touch My Tabs to set rel="noopener" automatically.

Now You: Do you check links before you click on them? (via Sören Hentzschel)

Summary
Firefox 79 makes some links more secure
Article Name
Firefox 79 makes some links more secure
Description
Mozilla plans to introduce a change in an upcoming version of Firefox Stable that makes the handling of links more secure.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. if it bleeds it leads said on June 28, 2020 at 12:13 am
    Reply

    Or, if they wanted a better solution, websites with any importance can offer free Tor .onion links. The newest Tor Browser supports websites with an .onion option for users to simply click on, sending them to their secure .onion hidden service.

  2. Tsami said on June 25, 2020 at 5:59 pm
    Reply

    There’s a Firefox recommended extension, “Don’t touch my tabs! (rel=noopener)” by Jeroen Swen that addresses this issue. It’s at https://addons.mozilla.org/en-US/firefox/addon/dont-touch-my-tabs/. Perhaps Firefox is incorporating it.

    1. Cookie_Monster said on June 27, 2020 at 6:31 am
      Reply

      Can the Temporary Containers addon address the problem dom.targetBlankNoOpener is trying to solve? I’m also using ESR 60, which does not support dom.targetBlankNoOpener.

      1. Ed said on June 27, 2020 at 8:37 am
        Reply

        I doubt it. As you also can’t use the extension mentioned above, use the userscript mentioned above.

    2. Claymore said on June 25, 2020 at 11:07 pm
      Reply

      The addon didn’t work for me at https://mathiasbynens.github.io/rel-noopener/ but the following userscript does:
      https://greasyfork.org/de/scripts/398805-noopener-everywhere/

      Maybe other users have the same problem and now they have an alternative way to get around :)

    3. Yuliya said on June 25, 2020 at 6:15 pm
      Reply

      You can already do this with no extensions.
      dom.targetBlankNoOpener.enabled;true

      1. happysurf said on June 26, 2020 at 6:26 am
        Reply

        Thank you very much for the tip.

  3. Jody Thornton said on June 25, 2020 at 4:11 pm
    Reply

    Has anyone come up with a way to make Firefox 77+ run in a single process? I tried running it, and if I use the environment variable MOZ_FORCE_DISABLE_E10S = 1, websites render as gibberish. Firefox 77 works if I delete the environment variable in Windows.

    All of the prefs that disabled e10s were disabled prior to ESR 68. I ask because ESR 78 is around the corner, and if Waterfox rebases on it, I’m screwed in this respect.

    1. Iron Heart said on June 25, 2020 at 5:49 pm
      Reply

      @Jody Thornton

      Jody, my main man, if you are starving for RAM, I suggest upgrading your RAM. The only browsers that will be consistently single-process in the future are Pale Moon and Basilisk (not that this is a good idea)…

      1. Anonymous said on June 25, 2020 at 11:50 pm
        Reply

        Yea, those pre-quantum Gecko browsers are not safe at all. Not a good idea.

      2. Kubrick said on June 26, 2020 at 10:34 am
        Reply

        @Anonymous.

        why would that be please.?
        I have used pale moon for a good many years with no issues.

      3. Iron Heart said on June 26, 2020 at 7:27 am
        Reply

        @Anonymous

        Waterfox Current is based on Firefox Quantum ESR 68, only Waterfox Classic is pre-Quantum.

      4. Jody Thornton said on June 25, 2020 at 6:14 pm
        Reply

        @Iron Heart

        Oh no I have 16 GB, so I’m good there, but I find overall performance seems spiffier in a sngle process.
        :)

    2. Ayy said on June 25, 2020 at 4:59 pm
      Reply

      why would you want to do that? it would disable sandboxing of addons and web content processes thus making you significantly more vulnerable to attacks.

      1. Yuliya said on June 25, 2020 at 5:31 pm
        Reply

        >it would disable sandboxing of addons and web content processes thus making you significantly more vulnerable to attacks
        the user-facing settings are pretty useless. you get like 8 processes to handle hundreds of websites. it’s literally the worst of both worlds. you have to dig through about config to properly laverage this feature: i.imgur.com/dngd7yz.png
        fairly sure close to nobody is using this since mozilla decided to hide it away.

  4. Ozan said on June 25, 2020 at 2:56 pm
    Reply

    Looks like a small but important step towards protecting firefox users. I would also like to see spoofing attacks using punycode IDNs being fixed in Firefox – I believe this was fixed in Chrome two years ago.

    https://arstechnica.com/information-technology/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/

    https://bugzilla.mozilla.org/show_bug.cgi?id=279099

    1. Anonymous said on July 9, 2020 at 2:46 pm
      Reply

      @Ozan: network.IDN_show_punycode true.

    2. Iron Heart said on June 25, 2020 at 5:39 pm
      Reply

      Firefox doesn’t even have much of a sandbox, the things mentioned in the article and by you are the least of your worries, friend:

      https://grapheneos.org/usage#web-browsing

      1. Anonymous said on June 25, 2020 at 9:45 pm
        Reply

        This is outdated information you are sharing https://superuser.com/a/1309274/748438

      2. Iron Heart said on June 26, 2020 at 7:26 am
        Reply
      3. Anonymous said on June 26, 2020 at 9:16 pm
        Reply

        Okay, got it.

        `You cannot question Daniel Micay and his right hand madaidan. They are the greatest privacy folks on earth. You only praise them, garland them and worship them, for you are a puny redditor on the internet with unverifiable identity boot code.`

        Some valid points, but ultimately too narrow.

      4. Iron Heart said on June 27, 2020 at 8:50 am
        Reply

        @Anonymous

        That’s not at all what I’ve said or even implied. Daniel Micay is a respected security researcher, though, his project produces one of the most secure mobile operating systems worldwide, even Edward Snowden has endorsed it. Micay also rewrote the memory allocator of Firefox, hardening it in the process, but as with almost all Bugzilla bugs, it was left rotting by Mozilla. Things like the ugly megabar apparently are of higher priority to them…

        And I don’t think there is a connection between Micay and “madaidan” (didn’t even know who that was, had to look it up), aside from “madaidan” quoting Micay once. But then, Whonix is one of the most secure desktop operating systems, and much like GrapheneOS, it does intentionally not contain any trace of Mozilla software. Makes one think, doesn’t it?

        Firefox used to be a single process browser without a sandbox, much like Pale Moon still is today, modern security features had to be frankensteined onto it over the years. It’s not surprising at all that it is way behind Chromium in terms of security, as Chromium was designed with modern security features in mind.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.