Firefox, Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in “about: pages” that have been the gateway to sensitive preferences, settings, and statics of the browser. This is all driven to mitigate a large class of potential cross-site scripting issues in
Firefox browser has 45 such internal locally-hosted about pages, that include;-
- about:config — panel to modify Firefox preferences and critical settings.
- about:downloads — your recent downloads done within Firefox.
- about:memory — shows the memory usage of Firefox.
- about:newtab — the default new tab page.
- about:plugins — lists all your plugins as well as other useful information.
- about:privatebrowsing — open a new private window.
- about:networking — displays networking information.
Firefox explains in its blog that
Removing eval()-like Functions and adding Runtime Assertions to prevent eval()
To further minimize the attack surface in Firefox and discourage the use of eval() we rewrote all use of ‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase. Additionally we added assertions, disallowing the use of ‘eval()’ and its relatives in system-privileged script contexts.