If you look at the latest security advisory by Mozilla you can see a number of big changes have been made to reduce the prospect of cross site scripting attacks. I talked with Daniel Veditz at Mozilla and he warned me that some changes were coming with the next version and he wasn’t lying. Where shall we start:
First of all the non-alpha-non-digit attack vector will now be closed. This is the same one that has been causing MySpace so much pain over the last few months. This is a good fix, as there really was no practical use for it anyway. Bravo!
Secondly was a fix for inheritance of charset by pages that don’t set their own. The child webpages accept the charset of the parent. More info posted by Stefan Esser, here. This can make the attacker control the charset to something that would normally not work like the UTF-7 vector. Again, bravo!
Last, but not least, the Adobe Universal XSS vuln has been fixed! Hurray! It was already fixed by Adobe, but not that many people update Adobe reader anyway, so this is a stop gap for those users.
So wow, that’s a powerful set of fixes! Each and every one of those could be very nasty, so I’m glad the changes were made. Now, back to work!