



How window.name survives between sites

Image: Mozilla

Firefox 88 was released on Monday. Among the changes is a change in how the browser handles the window.name property.

Previously, this property lasted for the life of the tab. This means that if a user moves from one site to another, the property values ​​will remain and the data from one site could be read by another.

In a blog post, Firefox privacy engineer Tim Huang said, “Tracking companies have abused this property to leak information and effectively turn it into a communication channel for transferring data between websites.” ..

“To make matters worse, the malicious site was able to monitor the content of window.name and collect private user data that was accidentally leaked by another website.”

From now on, Firefox will clear properties when navigating between sites, and when a user returns to a site, the window.name value for that site will be restored.

“In summary, these dual rules for clearing and restoring window.name data create that data first, much like Firefox’s Total Cookie Protection limits cookies to the website on which they were created. Effectively limit to websites that have been cookied, “Huang said.

“This restriction is essential to prevent malicious sites from misusing window.name to collect your personal data.”

With the release of Firefox 88, the use of FTP in browsers has been disabled and code has been added to implement a protocol that will be removed in Firefox 90.

When you click on an FTP link, Firefox tries to pass it to an external application.

“FTP is an insecure protocol and there is no reason to prefer FTP over HTTPS for downloading resources,” said Mozilla software engineer Michal Novotny last year.

“Also, some of the FTP code is very old, insecure, difficult to maintain, and many security bugs have been found in the past.”

Other new features in Firefox 88 included support for JavaScript in PDF format, smooth pinch zoom with the Linux touchpad, and a screen reader that doesn’t read out visually hidden content.

The screenshot button has also been removed from the URL bar, allowing developers to switch between raw and formatted JSON responses.

