News‎ > ‎

Critical Security Issue Fixed in Firefox 3.6

posted Mar 7, 2011, 1:41 PM by Felix Kling   [ updated Mar 7, 2011, 1:59 PM ]
We just uploaded version 0.7.0.3 (it might take some time until the new version is approved), which does not contain any new features, but fixes a security hole:

The Problem

As the notes are directly to the website, it theoretically can access the content of the notes. While such a scenario might seem unlikely, it is potential threat.

The Solution

There are several possible solutions:

1. The most secure solution is to not add the notes to the website, but to the browser and only layout them on top of the website.

This is how Internote is doing it and I have to say, they did a pretty good job. Unfortunately it is not that easy to do so, as the internal structure of the Firefox UI seems to be different for different OS (Windows, Mac OS X, Linux). But I experienced some usabilities issues on Mac OS X like flickering of the notes when scrolling and problems with dragging the notes.

2. Add the notes to the website, but protect the content from being accessed. This solution is "less secure" in a sense that a website could still detect whether you added notes, but it cannot read the contents anymore. It cannot get more information than how many notes you created.
We decided to take this approach as it was much easier to implement in a shorter time. The content of the notes are now loaded into iframes, which, due to the same-origin policy, can't be accessed by the parent page.

Unfortunately, it seems that Firefox 4 contains a bug which does not respect the same origin policy. But we will follow this issue.
Comments