Firefox 88 clamps down on window.name abuses by trackers
How window.name persists between sites
Firefox 88 was released on Monday, and among the changes is a shift in how the browser will handle the window.name property.
Previously, this property persisted across the life of a tab, meaning that as a user shifted from one site to another, the value in the property remained, and data from one site could be read by another.
"Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites," Firefox Privacy engineer Tim Huang said in a blog post.
"Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website."
Going forward, Firefox will now clear the property when shifting between sites, and if a user goes back to a site, that site's window.name value will be restored.
"Together, these dual rules for clearing and restoring window.name data effectively confine that data to the website where it was originally created, similar to how Firefox's Total Cookie Protection confines cookies to the website where they were created," Huang said.
"This confinement is essential for preventing malicious sites from abusing window.name to gather users' personal data."
With the release of Firefox 88, the usage of FTP in the browser is now disabled, with the code implementing the protocol to be ripped out in Firefox 90.
Clicking on an FTP link will now see Firefox attempt to pass it off to an external application.
"FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources," Mozilla software engineer Michal Novotny said last year.
"Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past."
Other new features in Firefox 88 included support for JavaScript in PDF forms, smooth pinch zoom via a touchpad on Linux, and screen readers no longer reading content that is visually hidden.
The screenshot button was also removed from the URL bar, and developers gained a toggle to switch between raw and formatted JSON responses.
Related Coverage
- Firefox 87 launch packed with private browsing 'SmartBlock'
- Chinese cyberspies targeted Tibetans with a malicious Firefox add-on
- Mozilla shuts down Firefox Send and Firefox Notes services
- Firefox 85 removes Flash and adds protection against supercookies
- How to remove the new "Other Bookmarks" button from Firefox