Firefox 3.5 to be released today

New features include a private browsing mode

Mozilla has confirmed that it will be making the final version of Firefox 3.5 available for download at around 5pm GMT today.

The new browser will include a number of advances, including geolocation software that can be used to provide information about local firms during searches. Other features include a private browsing mode that will not record which web sites have been visited and a speeded-up JavaScript engine dubbed TraceMonkey.

The latest version, which should be released in 70 languages, will also have improved stability and additional anti-malware features to protect users.

Demand for the new browser is expected to be heavy. The previous major release broke the world record for the most downloads in a single day after 8,002,530 people downloaded the code.

Earlier this month, Mozilla announced plans for a new service that will attempt to mitigate the effect of cross site scripting (XSS) attacks when using the Firefox browser.

Such attacks involve inserting malware into legitimate sites, which can be used to attack computers via the browser. The new Content Security Policy (CSP) system would defeat this by only accepting code from a cleared ‘white list’ of known web sites.

“One might ask if the vulnerable web sites are aware of their shortcomings in application security, why won't they address the root cause and fix their vulnerabilities?" explained the team on the CSP web page.

“Real world security, however, is usually provided in layers and Content Security Policy intends to be only one layer. Though the site may be free of vulnerabilities today, a new vulnerability may be introduced tomorrow which could remain fully mitigated by Content Security Policy until it is detected and fixed properly.”

The CSP system will demand that all JavaScript is loaded from an external file, and served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored.

“The bottom line is that it will be extremely difficult to mount a successful XSS attack against a site with CSP enabled,” said Brandon Sterne, security program manager for Firefox in the Mozilla security blog.

“All common vectors for script injection will no longer work and the bar for a successful attack is placed much, much higher.”