Add-ons are a big part of the Firefox experience for many users of Mozilla’s popular browser, and just recently we saw the number of add-ons downloaded so far cross the 3 billion mark.
“Add-ons often need to interact with page content, and mixing privileged and unprivileged code can be a tricky thing to get right without compromising security,” explained Jorge Villalobos, Mozilla’s add-ons developer relations lead, in a post on the Add-Ons Blog on Monday. “Unintentionally exposing privileged objects to Web content is a major security concern.”
So, starting with Firefox 17, add-on developers will need to use a whitelist to specify which Web pages can access the data in their add-ons.
‘The Whitelist Will Become Mandatory’
Firefox 15, which is now in beta, already shows an error message whenever a privileged object property or function in the add-on is accessed by a Web page that has not been added to the whitelist.
“The code will continue to work, but the error is there to let add-on developers know that they need to change this as soon as possible,” Villalobos explained.
“In Firefox 17, the whitelist will become mandatory and the shared object members will cease to be visible from content,” he added.
Also included in the whitelist is whether the access granted is read-only, write-only, or read and write.
An Extra Level of Protection
Earlier this year Mozilla announced a campaign to crack down on memory leaks in Firefox add-ons.
Now, with this extra level of protection between the browser and its add-ons, users can feel more secure as well.
Firefox 15 is due for final release at the end of this month, which is also when Firefox 17 will move into the software’s Aurora channel. Late November is the expected time frame for the final release of Firefox 17.