Mozilla has confirmed that it will be making the final version of Firefox 3.5
available for download at around 5pm GMT today.
The new browser will include a
number
of advances, including geolocation software that can be used to provide
information about local firms during searches. Other features include a private
browsing mode that will not record which web sites have been visited and a
speeded-up JavaScript engine dubbed TraceMonkey.
The latest version, which should be released in 70 languages, will also have
improved stability and additional anti-malware features to protect users.
Demand for the new browser is expected to be heavy. The previous major
release broke the
world
record for the most downloads in a single day after 8,002,530 people
downloaded the code.
Earlier this month, Mozilla announced plans for a new service that will
attempt to mitigate the effect of cross site scripting (XSS) attacks when using
the Firefox browser.
Such attacks involve inserting malware into legitimate sites, which can be
used to attack computers via the browser. The new Content Security Policy (CSP)
system would defeat this by only accepting code from a cleared ‘white list’ of
known web sites.
“One might ask if the vulnerable web sites are aware of their shortcomings in
application security, why won't they address the root cause and fix their
vulnerabilities?" explained the team on the CSP web page.
“Real world security, however, is usually provided in layers and Content
Security Policy intends to be only one layer. Though the site may be free of
vulnerabilities today, a new vulnerability may be introduced tomorrow which
could remain fully mitigated by Content Security Policy until it is detected and
fixed properly.”
The CSP system will demand that all JavaScript is loaded from an external
file, and served from an explicitly approved host. This means that all inline
script, javascript: URIs, and event-handling HTML attributes will be ignored.
“The bottom line is that it will be extremely difficult to mount a successful
XSS attack against a site with CSP enabled,” said Brandon Sterne, security
program manager for Firefox in the
Mozilla security
blog.
“All common vectors for script injection will no longer work and the bar for
a successful attack is placed much, much higher.”
Do you agree?
Have your say on this article