We have seen inline event handlers being used as a tool for gaining code execution in the parent process, e.g. during Pwn2Own. To prevent this going forward we removed all inline event handlers from browser.xhtml and since today they are also actively being blocked in Nightly builds [1]. We plan on shipping this mitigation to release versions of Firefox after evaluating the Telemetry results.
Furthermore we ask you to not introduce new inline event handlers in *any* new UI code, because we are progressively trying to remove them from all other windows/dialogs [2]. For example the Page Info or Library window. (As a start we focusing on those windows that show data coming from the web) If you are writing or using a modified version of Firefox (e.g. userChrome JS) you have two options: - Rewrite your code to add event handlers using `addEventListener()` rather than in HTML. - Disable the pref (security.browser_xhtml_csp.enabled) and be unprotected against potential attacks. However we can’t guarantee that this pref will exist forever. Thank you Tom [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1937080 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1935985 -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CA%2BCWiYhPLttMJJpADYAVhPhKRDZ1wpOBTU%3D_VZkiHu1_Qux9QA%40mail.gmail.com.
