behind Trusted Types is that it allows web applications to
instruct the browser to only accept non-spoofable, typed
values in place of strings for known DOM XSS sinks and
hence provides a mechanism to prevent DOM based XSS
in web applications. Since in our case we had control over
both, the user agent and the web application code in form
of the user interface code we did not have to annotate any
of our web application code. Instead we modified sinks
within the user agent directly to not allow any calls to
eval() and also to not allow any non-browser packaged
resources to load in system privileged context.
In addition, our work was inspired by numerous
surveys and evaluations of browser security mecha-
nisms ranging from the problematic situation of grant-
ing third-party script access to application internals [20]
to highlighting JavaScript security mechanisms within a
browser [1].
In particular, our efforts focused on preventing priv-
ilege escalation attacks which would allow an attacker
to fully take control of a users computer. Even though
systems like Fidelius [8] - an architecture which protects
user secrets even if the entire underlying browser is fully
controlled by an attacker - would at least protect an end
users private data, any privilege escalation attacks would
still allow an attacker to perform arbitrary actions. To
lower the risk of privilege escalation attacks, our presented
work was further inspired by our colleagues who have pro-
vided a multitude of DOM based XSS prevention mech-
anisms [16], [17], [26], [27], [29]. In principle, privilege
escalation prevention in a browser setting is fundamentally
equivalent to XSS prevention techniques.
Even though server side techniques for preventing
XSS do not directly apply to our presented hardening
efforts, they still provided valuable input for our work [7].
Before applying a strong CSP to Firefox internal pages
we evaluated the effectiveness on the different strategies to
apply a CSP, ranging from allow-list based CSPs to nonce-
based CSPs. Ultimately our hardening techniques require
a guard which blocks all inline script from execution,
hence we settled on a scheme-based CSP which does not
allow any scripts outside of our shipped product, much
less ‘unsafe-inline’ and hence does not allow any
injected script to execute. Still, works from our colleagues
on CSP [2], [3], [11], [14], [22], [24], [25], [35], [36]
heavily motivated and supported our undertaking of hard-
ening the security landscape of Firefox.
8. Conclusion
We have presented techniques which harden the Fire-
fox web browser against privilege escalation attacks.
While the provided implementation and described prac-
tical effort was specific to the Firefox web browser,
the presented hardening techniques apply to all applica-
tions which load and interact with untrusted code like
JavaScript. As more and more applications are built on
top of web technologies the presented techniques target
any application that displays or executes untrusted content
alongside trusted and relies on HTML and JavaScript for
both. We have shown that removing insecure code frag-
ments from a codebase limits the attack surface against
code injection attacks and hence provides a strong first
line of defense against arbitrary code execution.
Acknowledgments
Thanks to everyone in Security, Privacy, Networking
Engineering at Mozilla for their feedback, reviews, and
thought-provoking discussions. In particular, thanks to
Steven Englehardt, Thyla van der Merwe, Ethan Tseng,
Wennie Leung, Selena Deckelmann, Vinothkumar Na-
gasayanan, Jonas Allmann, and Bobby Holley. Finally,
also big thanks to Stefan Brunthaler and Mario Heiderich
for their insightful comments.
References
[1] N. Bielova. Survey on JavaScript security policies and their
enforcement mechanisms in a web browser. In The Journal of
Logic and Algebraic Programming. Elsevier, 2013.
[2] S. Calzavara, A. Rabitti, and M. Bugliesi. Content security prob-
lems?: Evaluating the effectiveness of content security policy in
the wild. In Proceedings of the Conference on Computer and
Communications Security. ACM, 2016.
[3] S. Calzavara, A. Rabitti, and M. Bugliesi. Semantics-based analysis
of content security policy deployment. ACM Transactions on the
Web, 2018.
[4] Cameron McCormack. WebIDL Level 1. https://www.w3.org/TR/
WebIDL-1/, 2016. (checked: February, 2020).
[5] Christoph Kern. Securing the Tangled Web. https://queue.acm.org/
detail.cfm?id=2663760, 2014. (checked: February, 2020).
[6] G. Corporation. Google Safe Browsing. https://safebrowsing.
google.com/, 2007. (checked: February, 2020).
[7] A. Doup
´
e, W. Cui, M. Jakubowski, M. Peinado, C. Kruegel, and
G. Vigna. deDacota: toward preventing server-side XSS via auto-
matic code and data separation. In Proceedings of the Conference
on Computer and Communications Security. ACM, 2013.
[8] S. Eskandarian, J. Cogan, S. Birnbaum, P. Brandon, D. Franke,
F. Fraser, J. Garcia, E. Gong, H. Nguyen, T. Sethi, V. Subbiah,
M. Backes, G. Pellegrino, and D. Boneh. Fidelius: Protecting
User Secrets from Compromised Browsers. In Proceedings of the
Symposium on Security and Privacy. IEEE, 2018.
[9] N. Golubovic. Attacking Browser Extensions. https://golubovic.
net/thesis/master.pdf, 2016. (checked: February, 2020).
[10] N. Hardy. The Confused Deputy: (or why capabilities might have
been invented). In SIGOPS Operating Systems Review 22. ACM,
1985.
[11] D. Hausknecht, J. Magazinius, and A. Sabelfeld. May I?-Content
Security Policy Endorsement for Browser Extensions. In Proceed-
ings of the International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment. Springer-Verlag, 2015.
[12] B. Hoehrmann. The ’javascript’ resource identifier scheme. https:
//tools.ietf.org/html/draft-hoehrmann-javascript-scheme-03, 2010.
(checked: February, 2020).
[13] C. Kerschbaumer. Enforcing Content Security by default within
Web Browsers. In Proceedings of Cybersecurity Development
Conference. IEEE, 2016.
[14] C. Kerschbaumer., S. Stamm., and S. Brunthaler. Injecting CSP for
Fun and Security. In Proceedings of the International Conference
on Information Systems Security and Privacy. Springer, 2016.
[15] Kotowicz, Krzysztof and West, Mike. Trusted Types -
Editor’s Draft, 15 January 2020. https://w3c.github.io/
webappsec-trusted-types/dist/spec/, 2020. (checked: February,
2020).
[16] S. Lekies, B. Stock, and M. Johns. 25 Million Flows Later:
Large-Scale Detection of DOM-Based XSS. In Proceedings of
the Conference on Computer and Communications Security. ACM,
2013.
[17] W. Melicher, A. Das, M. Sharif, L. Bauer, and L. Jia. Riding
out DOMsday: Towards Detecting and Preventing DOM Cross-Site
Scripting. In NDSS, 2018.