Firefox 79 makes some links more secure
Mozilla plans to introduce a change in an upcoming version of Firefox Stable that makes the handling of links more secure. The organization introduced an option in Firefox Nightly back in November 2018 that set the link attribute rel="noopener" if target="_blank" is set.
The target="_blank" directive orders the web browser to open the target of the link in a new browser tab; otherwise, the link will be opened in the same tab.
The problem with target="_blank" is that the resource of the link gets full control over the originating window object even if it is a different site. You can check out this -- harmless -- demo of how the linked resource may manipulate content on the originating page.
Basically, it allows the target site to change content on the originating site, e.g. to use it for phishing or to change information on the originating page. A user who switches back to the originating tab might not notice the manipulation.
Advertisers may abuse the functionality as well, e.g. to display advertisement on the linking site.
Webmasters may set rel="noopener" for links to protect users and their sites against any form of manipulation. We set the attribute for all links automatically here on Ghacks, but many sites don't.
Mozilla plans to set rel="noopener" for all links that use target="_blank" from Firefox 79 onward. It is interesting to note that setting rel="noopener" may also improve performance.
Webmasters who want to retain the classic behavior need to set "rel="opener" manually to ensure that the functionality remains active.
Mozilla plans to release Firefox 79 on July 28, 2020 according to the Firefox release schedule. It is unclear why it took so long to get implemented in Firefox Stable.
Apple has introduced the same functionality in the company's Safari browser in March 2019, and Google plans to introduce it in Chrome as well in the future.
Firefox users and other browser users can also install browser extensions such as Don't Touch My Tabs to set rel="noopener" automatically.
Now You: Do you check links before you click on them? (via Sören Hentzschel)
Or, if they wanted a better solution, websites with any importance can offer free Tor .onion links. The newest Tor Browser supports websites with an .onion option for users to simply click on, sending them to their secure .onion hidden service.
There’s a Firefox recommended extension, “Don’t touch my tabs! (rel=noopener)” by Jeroen Swen that addresses this issue. It’s at https://addons.mozilla.org/en-US/firefox/addon/dont-touch-my-tabs/. Perhaps Firefox is incorporating it.
Can the Temporary Containers addon address the problem dom.targetBlankNoOpener is trying to solve? I’m also using ESR 60, which does not support dom.targetBlankNoOpener.
I doubt it. As you also can’t use the extension mentioned above, use the userscript mentioned above.
The addon didn’t work for me at https://mathiasbynens.github.io/rel-noopener/ but the following userscript does:
https://greasyfork.org/de/scripts/398805-noopener-everywhere/
Maybe other users have the same problem and now they have an alternative way to get around :)
You can already do this with no extensions.
dom.targetBlankNoOpener.enabled;true
Thank you very much for the tip.
Has anyone come up with a way to make Firefox 77+ run in a single process? I tried running it, and if I use the environment variable MOZ_FORCE_DISABLE_E10S = 1, websites render as gibberish. Firefox 77 works if I delete the environment variable in Windows.
All of the prefs that disabled e10s were disabled prior to ESR 68. I ask because ESR 78 is around the corner, and if Waterfox rebases on it, I’m screwed in this respect.
@Jody Thornton
Jody, my main man, if you are starving for RAM, I suggest upgrading your RAM. The only browsers that will be consistently single-process in the future are Pale Moon and Basilisk (not that this is a good idea)…
Yea, those pre-quantum Gecko browsers are not safe at all. Not a good idea.
@Anonymous.
why would that be please.?
I have used pale moon for a good many years with no issues.
@Anonymous
Waterfox Current is based on Firefox Quantum ESR 68, only Waterfox Classic is pre-Quantum.
@Iron Heart
Oh no I have 16 GB, so I’m good there, but I find overall performance seems spiffier in a sngle process.
:)
why would you want to do that? it would disable sandboxing of addons and web content processes thus making you significantly more vulnerable to attacks.
>it would disable sandboxing of addons and web content processes thus making you significantly more vulnerable to attacks
the user-facing settings are pretty useless. you get like 8 processes to handle hundreds of websites. it’s literally the worst of both worlds. you have to dig through about config to properly laverage this feature: i.imgur.com/dngd7yz.png
fairly sure close to nobody is using this since mozilla decided to hide it away.
Looks like a small but important step towards protecting firefox users. I would also like to see spoofing attacks using punycode IDNs being fixed in Firefox – I believe this was fixed in Chrome two years ago.
https://arstechnica.com/information-technology/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/
https://bugzilla.mozilla.org/show_bug.cgi?id=279099
@Ozan: network.IDN_show_punycode true.
Firefox doesn’t even have much of a sandbox, the things mentioned in the article and by you are the least of your worries, friend:
https://grapheneos.org/usage#web-browsing
This is outdated information you are sharing https://superuser.com/a/1309274/748438
@Anonymous
Not outdated at all: https://old.reddit.com/r/firefox/comments/gokcis/firefox_is_insecure_refuted/frh286y/
Okay, got it.
`You cannot question Daniel Micay and his right hand madaidan. They are the greatest privacy folks on earth. You only praise them, garland them and worship them, for you are a puny redditor on the internet with unverifiable identity boot code.`
Some valid points, but ultimately too narrow.
@Anonymous
That’s not at all what I’ve said or even implied. Daniel Micay is a respected security researcher, though, his project produces one of the most secure mobile operating systems worldwide, even Edward Snowden has endorsed it. Micay also rewrote the memory allocator of Firefox, hardening it in the process, but as with almost all Bugzilla bugs, it was left rotting by Mozilla. Things like the ugly megabar apparently are of higher priority to them…
And I don’t think there is a connection between Micay and “madaidan” (didn’t even know who that was, had to look it up), aside from “madaidan” quoting Micay once. But then, Whonix is one of the most secure desktop operating systems, and much like GrapheneOS, it does intentionally not contain any trace of Mozilla software. Makes one think, doesn’t it?
Firefox used to be a single process browser without a sandbox, much like Pale Moon still is today, modern security features had to be frankensteined onto it over the years. It’s not surprising at all that it is way behind Chromium in terms of security, as Chromium was designed with modern security features in mind.