Content-Security-Policy-Report-Only - HTTP
the http content-security-policy-report-only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects.
... for more information, see also this article on content security policy (csp).
... syntax content-security-policy-report-only: <policy-directive>; <policy-directive> directives the directives of the content-security-policy header can also be applied to content-security-policy-report-only.
...And 9 more matches

Privacy, permissions, and information security
cooperation among web content, the web browser, and the web server is needed to achieve as much privacy and information security as possible.
... security and privacy defined before we go into any depth about the various security and privacy features available to users on the web, let's define some important terms.
... personally identification can include information like usernames, real names, passwords, phone numbers or addresses (or even portions of them), information about medical history, social security numbers, driver licenses, or any other form of id or id number, credit card information, and so forth.
...And 9 more matches

How to check the security state of an XMLHTTPRequest over SSL - Web APIs
here is a an example javascript function that prints the security details of an xmlhttprequest sent over ssl.
... const {cc,ci} = require("chrome"); function createtcperrorfromfailedxhr(xhr) { let status = xhr.channel.queryinterface(ci.nsirequest).status; let errtype; if ((status & 0xff0000) === 0x5a0000) { // security module const nsinsserrorsservice = ci.nsinsserrorsservice; let nsserrorsservice = cc['@mozilla.org/nss_errors_service;1'].getservice(nsinsserrorsservice); let errorclass; // geterrorclass will throw a generic ns_error_failure if the error code is // somehow not in the set of covered errors.
... try { errorclass = nsserrorsservice.geterrorclass(status); } catch (ex) { //catching security protocol exception errorclass = 'securityprotocol'; } if (errorclass == nsinsserrorsservice.error_class_bad_cert) { errtype = 'securitycertificate'; } else { errtype = 'securityprotocol'; } // nss_sec errors (happen below the base value because of negative vals) if ((status & 0xffff) < math.abs(nsinsserrorsservice.nss_sec_error_base)) { // the bases are actually negative, so in our positive numeric space, we // need to subtract the base off our value.
...And 8 more matches

JS_GetSecurityCallbacks
this article covers features introduced in spidermonkey 1.8.1 configure spidermonkey security hooks.
... syntax /* added in spidermonkey 17 */ void js_setsecuritycallbacks(jsruntime *rt, const jssecuritycallbacks *callbacks); const jssecuritycallbacks * js_getsecuritycallbacks(jsruntime *rt); /* obsolete since jsapi 13 */ jssecuritycallbacks * js_setcontextsecuritycallbacks(jscontext *cx, jssecuritycallbacks *callbacks); jssecuritycallbacks * js_getruntimesecuritycallbacks(jsruntime *rt); jssecuritycallbacks * js_setruntimesecuritycallbacks(jsruntime *rt, jssecuritycallbacks *callbacks); name type description rt jsruntime * a runtime to get/set the security callbacks.
... callbacks const jssecuritycallbacks * a pointer to the new callbacks for the runtime.
...And 5 more matches

Zest usecase: Reporting Security Vulnerabilities to Developers
when security teams find vulnerabilities they typically describe them to developers using words, for example in a pdf or via a bug tracker.
... unfortunately in many cases developers may lack the security knowledge to understand or reproduce the problem.
... also security teams often use tools which the developers do not have access to or have no experience with.
...And 3 more matches

nsIContentSecurityPolicy
content/base/public/nsicontentsecuritypolicy.idlscriptable describes an xpcom component used to model and enforce content security policies.
... isinitialized boolean set to true when the content security policy has been read in and parsed and is ready to enforce.
... this is a barrier for the nsdocument so it doesn't load any sub-content until either it knows that a content security policy is ready or will not be used.
...And 3 more matches

Displaying web content in an extension without security issues - Archive of obsolete content
one of the most common security issues with extensions is execution of remote code in privileged context.
...these issues can easily be avoided by making use of the existing security mechanisms in the mozilla codebase.
... the following article explains these security mechanisms, ideally an extension that needs to display web content (which is always potentially dangerous) will use all of them.
...And 2 more matches

Security best practices in extensions - Archive of obsolete content
a more detailed explanation of this process is in displaying web content in an extension without security issues.
...there are ways to get around the content/chrome security barrier, if for example, you want a web page to send a notification to the add-on (or vice versa).
...if you choose to do so, beware when making edits to the bundled files so as not to break the well thought out security architecture.
...And 2 more matches

New Security Model for Web Services - Archive of obsolete content
the root element the first element of the file should be the following: <wsa:webscriptaccess xmlns:wsa="http://www.mozilla.org/2002/soap/security"> delegation if the <delegate/> element is present then "web-scripts-access.xml" is required in the subdirectory for uris which are in a subdirectory.
... note: script access is checked via declaration file only if the script security manager denies access.
... adjustments as this new model is applied to soap, and potentially document.load or xml-request, it may be desirable to eliminate the same source security bypass, because it is not clear that this is always secure.
...And 2 more matches

Mozilla Web Services Security Model
please do not depend on anything in it being correct for security.) to prevent the browser from being used as a tool for web sites to obtain priveleges that belong to the browser's user (such as being behind a firewall or getting the benefits of the user's cookies), web browsers restrict what web pages can do when accessing things in other domains.
... the webscriptaccess element its root element must be a webscriptaccess element in the http://www.mozilla.org/2002/soap/security namespace.
... the type attribute the type attribute of the allow element can take the following values: any means that the allow element applies to all services that use web-scripts-access.xml for security checks.
...And 2 more matches

Network Security Services
network security services (nss) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.
... applications built with nss can support ssl v3, tls, pkcs #5, pkcs #7, pkcs #11, pkcs #12, s/mime, x.509 v3 certificates, and other security standards.
... nss apis introduction to network security services provides an overview of the nss libraries and what you need to know to use them.
...And 2 more matches

BasicCardResponse.cardSecurityCode - Web APIs
the cardsecuritycode property of the basiccardresponse dictionary contains the security code of the card used to make the payment.
... syntax "cardsecuritycode" : "number" value a domstring representing the card security code.
...dick straw", "cardsecuritycode" : "999", "expirymonth" : "07", "expiryyear" : "2021", "billingaddress" : { "country" : "gb", // etc.
...And 2 more matches

Securing your site - Web security
user information security how to turn off form autocompletion form fields support autocompletion in gecko; that is, their values can be remembered and automatically brought back the next time the user visits your site.
... content security properly configuring server mime types there are several ways incorrect mime types can cause potential security problems with your site.
... http strict transport security the strict-transport-security: http header lets a website specify that it may only be accessed using https.
...And 2 more matches

Types of attacks - Web security
this article describes various types of security attacks and techniques to mitigate them.
...(click-jacking is sometimes called "user interface redressing", though this is a misuse of the term "redress".) cross-site request forgery (csrf) cross-site scripting (xss) cross-site scripting (xss) is a security exploit which allows an attacker to inject into a website malicious client-side code.
...according to the open web application security project, xss was the seventh most common web app vulnerability in 2017.
...And 2 more matches

Security - Archive of obsolete content
relying on these obsolete security articles is highly discouraged.
... digital signaturesencryption and decryption address the problem of eavesdropping, one of the three internet security issues mentioned at the beginning of this document.
...decryption is the process of transforming encrypted information so that it is intelligible again.introduction to public-key cryptographypublic-key cryptography and related standards and techniques underlie the security features of many products such as signed and encrypted email, single sign-on, and secure sockets layer (ssl) communications.
...ssl has been universally accepted on the world wide web for authenticated and encrypted communication between clients and servers.nspr release engineering guidethis paper is for engineers performing formal release for the netscape portable runtime (nspr) across all platforms.ssl and tlsthe secure sockets layer (ssl) and transport layer security (tls) protocols are universally accepted standards for authenticated and encrypted communication between clients and servers.

DTLS (Datagram Transport Layer Security) - MDN Web Docs Glossary: Definitions of Web-related terms
datagram transport layer security (dtls) is a protocol used to secure datagram-based communications.
... it's based on the stream-focused transport layer security (tls), providing a similar level of security.
... learn more general knowledge datagram transport layer security on wikipedia specifications rfc 6347: datagram transport layer security version 1.2 datagram transport layer security protocol version 1.3 draft specification related specifications rfc 5763: framework for establishing a secure real-time transport protocol (srtp) security context using dtls rfc 5764: dtls extension to establish keys for the secure real-time transport protocol (srtp) ...
...rfc 6083: dtls for stream control transmission protocol (sctp) rfc 8261: datagram transport layer security (dtls) encapsulation of sctp packets rfc 7350: datagram transport layer security (dtls) as transport for session traversal utilities for nat (stun) rfc 7925: tls / dtls profiles for the internet of things ...

mozbrowsersecuritychange
the mozbrowsersecuritychange event is fired when the browser <iframe> has connected to the server, and when the mixed content state changes.
... details the details property returns an anonymous javascript object with the following properties: state a domstring representing the current state of ssl security.
... possible values are: broken: indicates an unknown security state.
... example var browser = document.queryselector("iframe"); browser.addeventlistener("mozbrowsersecuritychange", function( event ) { console.log("the ssl state is:" + event.details.state); }); related events mozbrowserasyncscroll mozbrowserclose mozbrowsercontextmenu mozbrowsererror mozbrowsericonchange mozbrowserloadend mozbrowserloadstart mozbrowserlocationchange mozbrowseropenwindow mozbrowsertitlechange mozbrowserusernameandpasswordrequired ...

Security best practices for Firefox front-end engineers
this article will help firefox developers understand the security controls in place and avoid common pitfalls when developing front-end code for firefox.
... existing security controls sanitizing all strings that enter the dom through apis such as innerhtml when running system-privileged chrome code, we sanitize all html fragments that are created for chrome-privileged documents.
... linter rules against unsanitized dom interaction the security assurance team maintains an eslint rule that disallows unsafe uses of innerhtml and similar dom apis.

Browser security
an important aspect of developing code for any browser, including firefox, as well as any web-oriented project, is its security.
...this article provides an overview of what these are and how they work.exploitable crashesthis article will help you determine if a crash is exploitable, find crashes which are exploitable, and to fix exploitable crashes.handling mozilla security bugsthis document describes how the new security organizational structure will work, and how security-related mozilla bug reports will be handled.pinning violation reportsif a site makes use of key pinning, and your browser sees a certificate chain for that site which does not match the pin, firefox will reject the connection and display an error page.
... secure development guidelinesthe following content will likely see significant revision, though can be used as a reference for security best practices to follow when developing code for mozilla.security and the jar protocolthis article discusses security concerns with the jar: protocol, which only firefox has ever implemented for web content.

nsITransportSecurityInfo
netwerk/socket/nsitransportsecurityinfo.idlscriptable this interface provides information about transport security, including the security state and any error message for the connection.
... securitystate unsigned long a flag detailing the security state of the connection.
... shortsecuritydescription wstring for secure connections (ssl) gives the common name (cn) of the certifying authority.

SecurityPolicyViolationEvent.disposition - Web APIs
the disposition read-only property of the securitypolicyviolationevent interface indicates how the violated policy is configured to be treated by the user agent.
... syntax let disposition = violationeventinstance.disposition; value a value defined in the securitypolicyviolationeventdisposition enum representing the uri of the blocked resource.
... possible values are "enforce" or "report" example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.disposition); }); specifications specification status comment content security policy level 3the definition of 'disposition' in that specification.

WebXR permissions and security - Web APIs
the webxr device api has several areas of security to contend with, from establishing feature-policy to ensuring the user intends to use the mixed reality presentation before activating it.
... introduction the webxr device api is subject to a number of permission and security controls.
...otherwise, an appropriate exception is thrown, such as securityerror if the document doesn't have permission to enter immersive mode.

-webkit-text-security - CSS: Cascading Style Sheets
-webkit-text-security is a non-standard css property that obfuscates characters in a <form> field (such as <input> or <textarea>) by replacing them with a shape.
... syntax -webkit-text-security: circle; -webkit-text-security: disc; -webkit-text-security: square; -webkit-text-security: none; formal definition value not found in db!
... html <label for="name">name:</label> <input type="text" name="name" id="name" /> css input { -webkit-text-security: square; } result specifications not part of any standard.

Transport Layer Security (TLS) - MDN Web Docs Glossary: Definitions of Web-related terms
transport layer security (tls), formerly known as secure sockets layer (ssl), is a protocol used by applications to communicate securely across a network, preventing tampering with and eavesdropping on email, web browsing, messaging, and other protocols.
... both ssl and tls are client / server protocols that ensure communication privacy by using cryptographic protocols to provide security over a network.

Introduction to Network Security Services
network security services (nss) is a set of libraries designed to support cross-platform development of communications applications that support ssl, s/mime, and other internet security standards.
... shared libraries network security services provides both static libraries and shared libraries.

Security and the jar protocol
this article discusses security concerns with the jar: protocol, which only firefox has ever implemented for web content.
...firefox 2.0.0.10 (and firefox 1.5.0.15) fixed a potential security issue in the same origin policy when the jar: protocol was used to load data.

SecurityPolicyViolationEvent.blockedURI - Web APIs
the blockeduri read-only property of the securitypolicyviolationevent interface is a usvstring representing the uri of the resource that was blocked because it violates a policy.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.blockeduri); }); specifications specification status comment content security policy level 3the definition of 'blockeduri' in that specification.

SecurityPolicyViolationEvent.columnNumber - Web APIs
the columnnumber read-only property of the securitypolicyviolationevent interface is the column number in the document or worker at which the violation occurred.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.columnnumber); }); specifications specification status comment content security policy level 3the definition of 'columnnumber' in that specification.

SecurityPolicyViolationEvent.documentURI - Web APIs
the documenturi read-only property of the securitypolicyviolationevent interface is a usvstring representing the uri of the document or worker in which the violation was found.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.documenturi); }); specifications specification status comment content security policy level 3the definition of 'documenturi' in that specification.

SecurityPolicyViolationEvent.effectiveDirective - Web APIs
the effectivedirective read-only property of the securitypolicyviolationevent interface is a domstring representing the directive whose enforcement uncovered the violation.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.effectivedirective); }); specifications specification status comment content security policy level 3the definition of 'effectivedirective' in that specification.

SecurityPolicyViolationEvent.lineNumber - Web APIs
the linenumber read-only property of the securitypolicyviolationevent interface is the line number in the document or worker at which the violation occurred.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.linenumber); }); specifications specification status comment content security policy level 3the definition of 'linenumber' in that specification.

SecurityPolicyViolationEvent.originalPolicy - Web APIs
the originalpolicy read-only property of the securitypolicyviolationevent interface is a domstring containing the policy whose enforcement uncovered the violation.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.originalpolicy); }); specifications specification status comment content security policy level 3the definition of 'originalpolicy' in that specification.

SecurityPolicyViolationEvent.referrer - Web APIs
the referrer read-only property of the securitypolicyviolationevent interface is a usvstring representing the referrer of the resources whose policy was violated.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.referrer); }); specifications specification status comment content security policy level 3the definition of 'referrer' in that specification.

SecurityPolicyViolationEvent.sample - Web APIs
the sample read-only property of the securitypolicyviolationevent interface is a domstring representing a sample of the resource that caused the violation.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.sample); }); specifications specification status comment content security policy level 3the definition of 'sample' in that specification.

SecurityPolicyViolationEvent.sourceFile - Web APIs
the sourcefile read-only property of the securitypolicyviolationevent interface is a usvstring representing the uri of the document or worker in which the violation was found.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.sourcefile); }); specifications specification status comment content security policy level 3the definition of 'sourcefile' in that specification.

SecurityPolicyViolationEvent.statusCode - Web APIs
the statuscode read-only property of the securitypolicyviolationevent interface is a number representing the http status code of the document or worker in which the violation occurred.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.statuscode); }); specifications specification status comment content security policy level 3the definition of 'statuscode' in that specification.

SecurityPolicyViolationEvent.violatedDirective - Web APIs
the violateddirective read-only property of the securitypolicyviolationevent interface is a domstring representing the directive whose enforcement uncovered the violation.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.violateddirective); }); specifications specification status comment content security policy level 3the definition of 'violateddirective' in that specification.

Mixed content - Web security
as well as finding these warnings in the web console, you could use content security policy (csp) to report issues.
...to make it easier for web developers to find mixed content errors, all blocked mixed content requests are logged to the security pane of the web console, as seen below: to fix this type of error, all requests to http content should be removed and replaced with content served over https.

Same-origin policy - Web security
the same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin.
... data: urls get a new, empty, security context.

How to turn off form autocompletion - Web security
however, some data submitted in forms either are not useful in the future (for example, a one-time pin) or contain sensitive information (for example, a unique government identifier or credit card security code).
... even without a master password, in-browser password management is generally seen as a net gain for security.

disablesecurity - Archive of obsolete content
« xul reference home disablesecurity type: boolean set this attribute to true to disable the security ui for this browser.

securityUI - Archive of obsolete content
« xul reference securityui type: nsisecurebrowserui the read-only property holds an object which may be used to determine the security level of the loaded document.

Midas editor module security preferences
for example: user_pref("capability.policy.allowclipboard.sites", "https://www-archive.mozilla.org https://developer.mozilla.org") again, keep in mind the security risks involved here and be sure to remove permission to access the clipboard once you no longer need it enabled.

Personal Security Manager (PSM)
personal security manager (psm) consists of a set of libraries that perform cryptographic operations on behalf of a client application.

nsISecurityCheckedComponent
caps/idl/nsisecuritycheckedcomponent.idlscriptable provides methods that let an xpcom component define custom rules for accessing it from potentially unprivileged code.

How to fix a website with blocked mixed content - Web security
in any case, the best way to know if something is broken in firefox is to download the latest firefox edition, open different pages on your website with the web console open (enable the "security" messages) and see if anything related to mixed content is reported.

Features restricted to secure contexts - Web security
web bluetooth 56 not supported not supported not supported web midi (see midiaccess, for example) 43 not supported not supported not supported web crypto api 60 79 not supported 75 secure context restrictions that vary by browser some browsers may decide to disable certain apis in non-secure contexts or apply other restrictions/security measures, despite the spec not requiring them.

Secure contexts - Web security
resources that are not local, to be considered secure, must meet the following criteria: must be served over https:// or wss:// urls the security properties of the network channel used to deliver the resource must not be considered deprecated feature detection pages can use feature detection to check whether they are in a secure context or not by using the issecurecontext boolean, which is exposed on the global scope.

Subdomain takeovers - Web security
if an attacker can do this, they can potentially read cookies set from the main domain, perform cross-site scripting, or circumvent content security policies, thereby enabling them to capture protected information (including logins) or send malicious content to unsuspecting users.

Subresource Integrity - Web security
subresource integrity (sri) is a security feature that enables browsers to verify that resources they fetch (for example, from a cdn) are delivered without unexpected manipulation.

Weak signature algorithms - Web security
the strength of the hash algorithm used in signing a digital certificate is a critical element of the security of the certificate.

Index
found 353 pages: # page tags and summary 1 network security services jss, nss, needsmigration network security services (nss) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.
... applications built with nss can support ssl v3, tls, pkcs #5, pkcs #7, pkcs #11, pkcs #12, s/mime, x.509 v3 certificates, and other security standards.
... 2 an overview of nss internals api, intermediate, intro, nss, tools a high-level overview to the internals of network security services (nss) software developed by the mozilla.org projects traditionally used its own implementation of security protocols and cryptographic algorithms, originally called netscape security services, nowadays called network security services (nss).
...And 253 more matches

HTTP Index - HTTP
16 content security policy (csp) csp, content security policy, reference, security content security policy (csp) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross site scripting (xss) and data injection attacks.
... 19 cross-origin resource policy (corp) http, reference, security cross-origin resource policy is an opt-in mechanism that allows web applications to protect against certain cross-origin requests, such as those issued by the browser when resources are embedded using elements such as <script> and <img>.
... 20 cross-origin resource sharing (cors) ajax, cors, cross-origin resource sharing, fetch, fetch api, http, http access controls, same-origin policy, security, xmlhttprequest, l10n:priority cross-origin resource sharing (cors) is a mechanism that uses additional http headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin.
...And 63 more matches

Index - MDN Web Docs Glossary: Definitions of Web-related terms
35 block cipher mode of operation block cipher mode of operation, cryptography, glossary, security a block cipher mode of operation, usually just called a "mode" in context, specifies how a block cipher should be used to encrypt or decrypt messages that are longer than the block size.
... 46 cia glossary, security cia (confidentiality, integrity, availability) (also called the cia triad or aic triad) is a model that guides an organization's policies for information security.
... 48 cors glossary, infrastructure, security cors (cross-origin resource sharing) is a system, consisting of transmitting http headers, that determines whether browsers block frontend javascript code from accessing responses for cross-origin requests.
...And 62 more matches

Index - HTTP
10 access-control-allow-origin access control, access-control-allow-origin, cors, dealing with cors, http, http header, how to fix cors, reference, security, cross-origin issue, header, origin the access-control-allow-origin response header indicates whether the response can be shared with requesting code from the given origin.
... 28 content-security-policy csp, http, reference, security, header the http content-security-policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.
... 29 csp: base-uri csp, directive, document directive, http, security the http content-security-policy base-uri directive restricts the urls which can be used in a document's <base> element.
...And 31 more matches

Index - Web APIs
259 basiccardresponse.cardsecuritycode api, basic card payment, basiccardresponse, experimental, payment request, payment request api, property, reference, cardsecuritycode the cardsecuritycode property of the basiccardresponse dictionary contains the security code of the card used to make the payment.
...for security reasons the path is excluded from this property.
...for security reasons, the path is excluded from this property.
...And 30 more matches

Index - Archive of obsolete content
230 displaying web content in an extension without security issues extensions, security, xmlhttprequest, xul one of the most common security issues with extensions is execution of remote code in privileged context.
...these issues can easily be avoided by making use of the existing security mechanisms in the mozilla codebase.
... the following article explains these security mechanisms, ideally an extension that needs to display web content (which is always potentially dangerous) will use all of them.
...And 29 more matches

NSS tools : modutil
name modutil - manage pkcs #11 module information within the security module database.
...please contribute to the initial review in mozilla nss bug 836477[1] description the security module database tool, modutil, is a command-line utility for managing pkcs #11 module information both within secmod.db files and within hardware tokens.
... modutil can add and delete pkcs #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable fips 140-2 compliance, and assign default providers for cryptographic operations.
...And 27 more matches

NSS tools : modutil
name modutil — manage pkcs #11 module information within the security module database.
... synopsis modutil [options] arguments description the security module database tool, modutil, is a command-line utility for managing pkcs #11 module information both within secmod.db files and within hardware tokens.
... modutil can add and delete pkcs #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable fips 140-2 compliance, and assign default providers for cryptographic operations.
...And 27 more matches

NSS Tools modutil
using the security module database (modutil) newsgroup: mozilla.dev.tech.crypto the security module database tool is a command-line utility for managing pkcs #11 module information within secmod.db files or within hardware tokens.
...this tool can also create key3.db, cert8.db, and secmod.db security database files.
... the tasks associated with security module database management are part of a process that typically also involves managing key databases (key3.db files) and certificate databases (cert8.db files).
...And 26 more matches

Vulnerabilities - Archive of obsolete content
this article uses three high-level vulnerability categories: software flaws, security configuration issues, and software feature misuse.
... a security configuration setting is an element of a software’s security that can be altered through the software itself.
... a security configuration issue vulnerability involves the use of security configuration settings that negatively affect the security of the software.
...And 18 more matches

JSAPI User Guide
*/ return false; } security many applications use spidermonkey to run untrusted code.
... in designing this kind of application, it's important to think through the security concerns ahead of time.
... deploy security updates - firefox automatically installs updates, so security fixes are deployed as soon as they are available.
...And 18 more matches

sslerr.html
ssl_error_unsupported_version -12279 "peer using unsupported version of security protocol." on a client socket, this means the remote server has attempted to negotiate the use of a version of ssl that is not supported by the nss library, probably an invalid version number.
...ted in other blocks.) ssl_error_handshake_unexpected_alert -12229 "ssl peer was not expecting a handshake message it received." ssl_error_decompression_failure_alert -12228 "ssl peer was unable to successfully decompress an ssl record it received." ssl_error_handshake_failure_alert -12227 "ssl peer was unable to negotiate an acceptable set of security parameters." ssl_error_illegal_parameter_alert -12226 "ssl peer rejected a handshake message for unacceptable content." ssl_error_unsupported_cert_alert -12225 "ssl peer does not support certificates of the type it received." ssl_error_certificate_unknown_alert -12224 "ssl peer had some unspecified issue with the certificate it received." ssl_...
...sage." ssl_error_decrypt_error_alert -12192 "peer reports failure of signature verification or key exchange." ssl_error_export_restriction_alert -12191 "peer reports negotiation not in compliance with export regulations." ssl_error_protocol_version_alert -12190 "peer reports incompatible or unsupported protocol version." ssl_error_insufficient_security_alert -12189 "server requires ciphers more secure than those supported by client." ssl_error_internal_error_alert -12188 "peer reports it experienced an internal error." ssl_error_user_canceled_alert -12187 "peer user canceled handshake." ssl_error_no_renegotiation_alert -12186 "peer does not permit renegotiation of ssl security parameters." ...
...And 17 more matches

certutil
for information security module database management, see the modutil manpages.
... certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... -0 sso_password set a site security officer password on a token.
...And 16 more matches

nsIDOMWindowUtils
cannot be accessed from unprivileged context (not content-accessible) will throw a dom security error if called without universalxpconnect privileges.
... cannot be accessed from unprivileged context (not content-accessible) will throw a dom security error if called without universalxpconnect privileges.
...will throw a dom security error if called without universalxpconnect privileges.
...And 16 more matches

NSS tools : certutil
for information on the security module database management, see the modutil manpage.
... certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... -0 sso_password set a site security officer password on a token.
...And 15 more matches

nsIWebProgressListener
method overview void onlocationchange(in nsiwebprogress awebprogress, in nsirequest arequest, in nsiuri alocation, [optional] in unsigned long aflags); void onprogresschange(in nsiwebprogress awebprogress, in nsirequest arequest, in long acurselfprogress, in long amaxselfprogress, in long acurtotalprogress, in long amaxtotalprogress); void onsecuritychange(in nsiwebprogress awebprogress, in nsirequest arequest, in unsigned long astate); void onstatechange(in nsiwebprogress awebprogress, in nsirequest arequest, in unsigned long astateflags, in nsresult astatus); void onstatuschange(in nsiwebprogress awebprogress, in nsirequest arequest, in nsresult astatus, in wstring amessage); constants state transition flags these...
... state security flags these flags describe the security state reported by a call to the onsecuritychange() method.
... state_is_broken 0x00000001 this flag indicates an unknown security state.
...And 15 more matches

Python binding for NSS
project information python-nss is a python binding for nss (network security services) and nspr (netscape portable runtime).
... for information on nss and nspr, see the following: network security services (nss).
...red hat following it's open source philosophy has contributed the source to the mozilla security project.
...And 14 more matches

Rhino overview
security the security features in rhino provide the ability to track the origin of a piece of code (and any pieces of code that it may in turn generate).
... these features allow for the implementation of a traditional url-based security policy for javascript as in netscape navigator.
... embeddings that trust the javascript code they execute may ignore the security features.
...And 13 more matches

NSS API Guidelines
fortezza is a set of security algorithms, used by the u.s.
...you must supply a library that implements the cryptographic operations, such as bsafe from rsa security.
... port lib/jar jar-ds.h, jar.h, jarfile.h nss provides high-level initialiazation and shutdown of security services.
...And 12 more matches

sslfnc.html
nss_init nss_initreadwrite nss_nodb_init ssl_optionsetdefault ssl_optiongetdefault ssl_cipherprefsetdefault ssl_cipherprefgetdefault ssl_clearsessioncache ssl_configserversessionidcache ssl_configmpserversidcache ssl_inheritmpserversidcache nss_init sets up configuration files and performs other tasks required to run network security services.
... syntax #include "nss.h" secstatus nss_init(char *configdir); parameter this function has the following parameter: configdir a pointer to a string containing the pathname of the directory where the certificate, key, and security module databases reside.
... nss_initreadwrite sets up configuration files and performs other tasks required to run network security services.
...And 12 more matches

Console messages - Firefox Developer Tools
security the security messages shown in the web console help developers find potential or actual vulnerabilities in their sites.
... the complete list of security messages is as follows: message details blocked loading mixed active content the page contained mixed active content: that is, the main page was served over https, but asked the browser to load "active content", such as scripts, over http.
... this site specified both an x-content-security-policy/report-only header and a content-security-policy/report-only header.
...And 11 more matches

Mozilla Crypto FAQ - Archive of obsolete content
the questions in this faq address mozilla's support for encryption and related security functionality, information important to mozilla contributors relating to encryption functionality in mozilla, and general questions on u.s.
...export regulations in january 2000 to allow export of source code for open source software implementing encryption, the major remaining legal obstacle to mozilla crypto development was the fact that rsa security, inc., held a u.s.
...in february 2000 iplanet e-commerce solutions (a sun-netscape alliance) released source code through mozilla.org for the personal security manager and network security services software; this source code included support for the ssl protocol, but due to the rsa patent and related legal issues it did not originally contain code for rsa or other cryptographic algorithms.
...And 10 more matches

From object to iframe — other embedding technologies - Learn web development
they have since fallen out of fashion due to many problems, including accessibility, security, file size, and more; these days most mobile devices don't support such plugins anymore, and desktop support is on the way out.
... there are some serious security concerns to consider with <iframe>s, as we'll discuss below, but this doesn't mean that you shouldn't use them in your websites — it just requires some knowledge and careful thinking.
...ie 10 and above) requests heightened security settings; we'll say more about this in the next section.
...And 10 more matches

NSS tools : pk12util
the tool can import certificates and keys from pkcs#12 files into security databases, export certificates, and list certificates and keys.
... options and arguments options -i p12file import keys and certificates from a pkcs#12 file into a security database.
... -o p12file export keys and certificates from the security database to a pkcs#12 file.
...And 10 more matches

NSS tools : pk12util
the tool can import certificates and keys from pkcs#12 files into security databases, export certificates, and list certificates and keys.
... options and arguments options -i p12file import keys and certificates from a pkcs#12 file into a security database.
... -o p12file export keys and certificates from the security database to a pkcs#12 file.
...And 9 more matches

nsIIOService
nsiprotocolhandler getprotocolhandler(in string ascheme); nsichannel newchannel(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri); obsolete since gecko 48 nsichannel newchannel2(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri, in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in uint32_t asecurityflags, in uint32_t acontentpolicytype); nsichannel newchannelfromuri(in nsiuri auri); obsolete since gecko 48 nsichannel newchannelfromuri2(in nsiuri auri, in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in unsigned long asecurityflags, in unsigned long acontentpolicytype); nsichannel newchannelfromuriwithloadinfo(in ...
...nsiuri auri, in nsiloadinfo aloadinfo); nsichannel newchannelfromuriwithproxyflags2(in nsiuri auri, in nsiuri aproxyuri, in uint32_t aproxyflags,in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in uint32_t asecurityflags, in uint32_t acontentpolicytype); nsiuri newfileuri(in nsifile afile); nsiuri newuri(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri); attributes attribute type description offline boolean returns true if networking is in "offline" mode.
...this gives the protocol handler ultimate control over its own security policy while ensuring reasonable, default protection.
...And 9 more matches

nsIXPConnect
void clearallwrappednativesecuritypolicies(); nsixpconnectjsobjectholder createsandbox(in jscontextptr cx, in nsiprincipal principal); native code only!
... obsolete since gecko 2.0 void getdefaultsecuritymanager(out nsixpcsecuritymanager amanager, out pruint16 flags); nsixpcfunctionthistranslator getfunctionthistranslator(in nsiidref aiid); jsobjectptr getjsobjectofwrapper(in jscontextptr ajscontext, in jsobjectptr ajsobj); [noscript, notxpcom] nsisupports getnativeofwrapper(in jscontextptr ajscontext, in jsobjectptr ajsobj); void getsecuritymanagerforjscontex...
...t(in jscontextptr ajscontext, out nsixpcsecuritymanager amanager, out pruint16 flags); nsixpconnectwrappednative getwrappednativeofjsobject(in jscontextptr ajscontext, in jsobjectptr ajsobj); nsixpconnectwrappednative getwrappednativeofnativeobject(in jscontextptr ajscontext, in jsobjectptr ascope, in nsisupports acomobj, in nsiidref aiid); nsixpconnectjsobjectholder getwrappednativeprototype(in jscontextptr ajscontext, in jsobjectptr ascope, in nsiclassinfo aclassinfo); jsval getwrapperforobject(in jscontextptr ajscontext, in jsobjectptr aobject, in jsobjectptr ascope, in nsiprincipal aprincipal, in unsigned long afilenameflags); native code only!
...And 9 more matches

MediaDevices.getUserMedia() - Web APIs
see security for more information on this and other security issues related to using getusermedia().
... older versions of the specification used securityerror for this instead; securityerror has taken on a new meaning.
... securityerror user media support is disabled on the document on which getusermedia() was called.
...And 8 more matches

Index
61 xpconnect wrappers guide, needscontent, xpcom, xpcom:language bindings, xpconnect this document is a high-level overview of xpconnect wrapper objects (for the more technical description see xpconnect security membranes).
... 86 using nsipasswordmanager guide, interfaces, login manager, security the code on this page will work with applications using toolkit 1.8 and below such as firefox 2.0.0.x and thunderbird 2.0.0.x.
...in fact, virtually all of the functionality that you associate with a browser - navigation, window management, managing cookies, bookmarks, security, searching, rendering, and other features - is defined in xpcom components and accessed by means of those component interfaces.
...And 7 more matches

Content Processes - Archive of obsolete content
there are several caveats here, all of them related to security, that might cause things to not behave in the way you might expect.
...this, too, is primarily related to security.
...afterwards, it was decided to keep the design the way it is: even though it's no longer necessary, it turns out that from a security point of view there are several important advantages to thinking about content and add-on code as living in different processes.
...And 6 more matches

NSS FAQ
general questions what is network security services (nss) nss is set of libraries, apis, utilities, and documentation designed to support cross-platform development of security-enabled client and server applications.
... if you want add support for ssl, s/mime, or other internet security standards to your application, you can use network security services (nss) to do so.
...it provides a complete software development kit that uses the same architecture used to support security features in many client and server products from netscape and other companies.
...And 6 more matches

Index
144 jsprincipalstranscoder advanced, constructor, needsexample, reference, spidermonkey jsprincipalstranscoder is the type of a security callback that can be configured using js_setprincipalstranscoderjsapi 1.8 and earlier or js_setruntimesecuritycallbacksadded in spidermonkey 1.8.1.
... 153 jssecuritycallbacks.contentsecuritypolicyallows the jssecuritycallbacks.contentsecuritypolicyallows callback is called when a script attempts to access an object property.
... 210 js_compilefunctionforprincipals jsapi reference, obsolete, spidermonkey js_compilefunctionforprincipals compiles a security-enabled function from a text string, bytes, and associates it with a js object, obj.
...And 6 more matches

nsISocketProvider
to create an instance, use: var socketprovider = components.classes["@mozilla.org/network/socket;2?type="] .createinstance(components.interfaces.nsisocketprovider); method overview void addtosocket(in long afamily, in string ahost, in long aport, in string aproxyhost, in long aproxyport, in unsigned long aflags, in prfiledescstar afiledesc, out nsisupports asecurityinfo); native code only!
... void newsocket(in long afamily, in string ahost, in long aport, in string aproxyhost, in long aproxyport, in unsigned long aflags, out prfiledescstar afiledesc, out nsisupports asecurityinfo); native code only!
...void addtosocket( in long afamily, in string ahost, in long aport, in string aproxyhost, in long aproxyport, in unsigned long aflags, in prfiledescstar afiledesc, out nsisupports asecurityinfo ); parameters afamily the address family for this socket (pr_af_inet or pr_af_inet6).
...And 6 more matches

CSP: report-uri - HTTP
the deprecated http content-security-policy (csp) report-uri directive instructs the user agent to report attempts to violate the content security policy.
...so for compatibility with current browsers while also adding forward compatibility when browsers get report-to support, you can specify both report-uri and report-to: content-security-policy: ...; report-uri https://endpoint.com; report-to groupname in browsers that support report-to, the report-uri directive will be ignored.
... syntax content-security-policy: report-uri <uri>; content-security-policy: report-uri <uri> <uri>; <uri> a uri where to post the report to.
...And 6 more matches

Appendix C: Avoiding using eval in Add-ons - Archive of obsolete content
using eval in add-ons is almost always unnecessary, and many times even a security vulnerability.
...additionally, parsing json retrieved from a remote location becomes a security vulnerability when parsed with the eval function.
...even if you trust the remote server; for example, because it is one you rent and administer yourself, there is a huge security risk, because of, but not limited to: you might discontinue your project or sell it, so that it is possible another person with malicious intentions takes over your domain.
...And 5 more matches

NSS_3.12_release_notes.html
nss 3.12 release notes 17 june 2008 newsgroup: mozilla.dev.tech.crypto contents introduction distribution information new in nss 3.12 bugs fixed documentation compatibility feedback introduction network security services (nss) 3.12 is a minor release with the following new features: sqlite-based shareable certificate and key databases libpkix: an rfc 3280 compliant certificate path validation library camellia cipher support tls session ticket extension (rfc 5077) nss 3.12 is tri-licensed under the mpl 1.1/gpl 2.0/lgpl 2.1.
...nss 3.12 source and binary distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_rtm/src/.
... binary distributions: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_rtm/.
...And 5 more matches

nss tech note5
using nss to perform miscellaneous cryptographic operations nss technical note: 5 nss project info is at http://www.mozilla.org/projects/security/pki/nss/ you can browse the nss source online at http://lxr.mozilla.org/mozilla/source/security/nss/ and http://lxr.mozilla.org/security/ be sure to look for sample code first for things you need to do.
...you can find a list of cipher mechanisms in security/nss/lib/softoken/pkcs11.c - grep for ckf_en_de_.
...you can find a list of digest mechanisms in security/nss/lib/softoken/pkcs11.c - grep for ckf_digest.
...And 5 more matches

NSS tools : signver
signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new sqlite databases (cert9.db, key4.db, and pkcs11.txt).
... signver -a -s signature_file -o output_file nss database types nss originally used berkeleydb databases to store security information.
...still, nss requires more flexibility to provide a truly shared security database.
...And 5 more matches

CSP: script-src - HTTP
the http content-security-policy (csp) script-src directive specifies valid sources for javascript.
... syntax one or more sources can be allowed for the script-src policy: content-security-policy: script-src <source>; content-security-policy: script-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation case given this csp header: content-security-policy: script-src https://example.com/ the following script is blocked and won't be loaded or executed: <script src="https://not-example.com/js/library.js"></script> note that inline event handlers are blocked as well: <button id="btn" onclick="dosomething()"> you should replace them with addeventlistener calls: document.getelementbyid("btn").addeventlistener('click', dosomething); unsafe...
...And 5 more matches

CSP: style-src - HTTP
the http content-security-policy (csp) style-src directive specifies valid sources for stylesheets.
... syntax one or more sources can be allowed for the style-src policy: content-security-policy: style-src <source>; content-security-policy: style-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: style-src https://example.com/ the following stylesheets are blocked and won't load: <link href="https://not-example.com/styles/main.css" rel="stylesheet" type="text/css" /> <style> #inline-style { background: red; } </style> <style> @import url("https://not-example.com/styles/print.css") print; </style> as well as styles loaded using the link header: link: <https://not-example.co...
...And 5 more matches

Plug-n-Hack - Archive of obsolete content
overview plug-n-hack (pnh) is a proposed standard from the mozilla security team for defining how security tools can interact with browsers in a more useful and usable way.
... security researchers commonly use security tools in conjunction with browsers, but until now direct integration has required writing platform and browser specific extensions.
... configuring a browser to work with a security tool can be a non-trivial process, and this can discourage people with less experience from using such tools.
...And 4 more matches

Introduction to Public-Key Cryptography - Archive of obsolete content
public-key cryptography and related standards and techniques underlie the security features of many products such as signed and encrypted email, single sign-on, and secure sockets layer (ssl) communications.
... client authentication is an essential element of network security within most intranets or extranets.
... neither password-based authentication nor certificate-based authentication address security issues related to physical access to individual machines or passwords.
...And 4 more matches

NSS tools : crlutil
name crlutil — list, generate, modify, or delete crls within the nss security database file(s) and list, create, modify or delete certificates entries in a particular crl.
...please contribute to the initial review in mozilla nss bug 836477[1] description the certificate revocation list (crl) management tool, crlutil, is a command-line utility that can list, generate, modify, or delete crls within the nss security database file(s) and list, create, modify or delete certificates entries in a particular crl.
...for information on security module database management, see using the security module database tool.
...And 4 more matches

NSS tools : crlutil
name crlutil — list, generate, modify, or delete crls within the nss security database file(s) and list, create, modify or delete certificates entries in a particular crl.
... synopsis crlutil [options] arguments description the certificate revocation list (crl) management tool, crlutil, is a command-line utility that can list, generate, modify, or delete crls within the nss security database file(s) and list, create, modify or delete certificates entries in a particular crl.
...for information on security module database management, see using the security module database tool.
...And 4 more matches

Xray vision
xray vision helps javascript running in a privileged security context safely access objects created by less privileged code, by showing the caller only the native version of the objects.
...the security principal defined for the sandbox determines its privilege level.
... the security machinery in gecko ensures that there's asymmetric access between code at different privilege levels: so for example, content code can't access objects created by chrome code, but chrome code can access objects created by content.
...And 4 more matches

XUL Migration Guide - Archive of obsolete content
the main reason for this design is security: it reduces the risk that a malicious web page will be able to access privileged apis.
...if the supported apis do what you need, they're the best option: you get the benefits of compatibility across firefox releases and of the sdk's security model.
... note, though, that by using third party packages you're likely to lose the security and compatibility benefits of using the sdk.
...And 3 more matches

Index of archived content - Archive of obsolete content
th getattributens common pitfalls communication between html and your extension creating custom firefox extensions with the mozilla build system custom about: urls default preferences deploying a plugin as an extension developing add-ons displaying web content in an extension without security issues downloading json and javascript in extensions enhanced extension installation extension etiquette extension library extension packaging extension samples extension theming guidelines extension versioning, update and compatibility extensions support in seamonkey 2 firefox addons developer gui...
...ons setting up a development environment the box model the essentials of an extension useful mozilla community sites user notifications and alerts xpcom objects performance best practices in extensions search extension tutorial (draft) security best practices in extensions session store api setting up an extension development environment signing an xpi signing an extension supporting search suggestions in search plugins tabbed browser techniques promises updating addons broken by private browsing cha...
...ularization techniques monitoring downloads mozilla application framework mozilla application framework in detail mozilla crypto faq mozprocess mozprofile mozrunner nsc_setpin nanojit lir new security model for web services new skin notes overview of how downloads work plug-n-hack plug-n-hack get involved plug-n-hack phase1 plug-n-hack phase2 plug-n-hack tools supported plugin architecture porting nspr to unix platforms priority content ...
...And 3 more matches

Sending form data - Learn web development
we also look at some of the security concerns associated with sending form data.
...on the other hand, if the form is hosted on a secure page but you specify an insecure http url with the action attribute, all browsers display a security warning to the user each time they try to send data because the data will not be encrypted.
... security issues each time you send data to a server, you need to consider security.
...And 3 more matches

Properly configuring server MIME types - Learn web development
serving content using the correct mime type can also be important for security reasons; it's possible for malicious content to affect the user's computer by pretending to be a safe type of document when it is in fact not.
...for security reasons, gecko 2.0 will no longer do this for stylesheets loaded from a different origin than the requesting document.
... gecko 1.9.1.11 (firefox 3.5.11) and gecko 1.9.2.5 (firefox 3.6.5) also implement this security fix, but to improve compatibility, there was a temporary heuristic that allows the load if the first line in the style sheet appears to be a well-formed css construct; the heuristic has been removed in firefox 4, and you have to properly set the text/css mime types to have your css pages recognized.
...And 3 more matches

Server-side web frameworks - Learn web development
html, json, xml), and improving security against web attacks.
... web security: some web frameworks provide better support for handling common web attacks.
...deno aims to fill in some of the loop-holes in node.js by providing a mechanism that naturally maintains better security.
...And 3 more matches

Listening to events on all tabs
onsecuritychange notification called for security progress.
... this method will be called on security transitions (eg http -> https, https -> http, foo -> https) and after document load completion.
... note: these notifications will only occur if a security package is installed.
...And 3 more matches

Storage access policy: Block cookies from trackers
dom storage: localstorage: window.localstorage: read and write attempts throw a securityerror exception.
... indexeddb: attempting to access the indexeddb factory object throws a securityerror exception.
... messaging and workers: broadcast channel: attempts to create a new broadcastchannel will throw a securityerror exception.
...And 3 more matches

4.3 Release Notes
release date: 01 april 2009 introduction network security services for java (jss) 4.3 is a minor release with the following new features: sqlite-based shareable certificate and key databases libpkix: an rfc 3280 compliant certificate path validation library pkcs11 needslogin method support hmacsha256, hmacsha384, and hmacsha512 support for all nss 3.12 initialization options jss 4.3 is tri-licensed under mpl 1.1/gpl 2.0/lgpl 2.1.
... libpkix: an rfc 3280 compliant certificate path validation library (see pkixverify) pk11token.needslogin method (see needslogin) support hmacsha256, hmacsha384, and hmacsha512 (see hmactest.java) support for all nss 3.12 initialization options (see initializationvalues) new ssl error codes (see http://mxr.mozilla.org/security/sour...util/sslerrs.h) ssl_error_unsupported_extension_alert ssl_error_certificate_unobtainable_alert ssl_error_unrecognized_name_alert ssl_error_bad_cert_status_response_alert ssl_error_bad_cert_hash_value_alert new tls cipher suites (see http://mxr.mozilla.org/security/sour...sslsocket.java): tls_rsa_with_camellia_128_cbc_sha tls_dhe_dss_with_camellia_128_c...
...n_with_camellia_128_cbc_sha tls_dh_dss_with_camellia_256_cbc_sha tls_dh_rsa_with_camellia_256_cbc_sha tls_dh_anon_with_camellia_256_cbc_sha tls_ecdh_anon_with_null_sha tls_ecdh_anon_with_rc4_128_sha tls_ecdh_anon_with_3des_ede_cbc_sha tls_ecdh_anon_with_aes_128_cbc_sha tls_ecdh_anon_with_aes_256_cbc_sha distribution information jss is checked into mozilla/security/jss/.
...And 3 more matches

NSS 3.14 release notes
introduction the nss team has released network security services (nss) 3.14, which is a minor release with the following new features: support for tls 1.1 (rfc 4346) experimental support for dtls 1.0 (rfc 4347) and dtls-srtp (rfc 5764) support for aes-ctr, aes-cts, and aes-gcm support for keying material exporters for tls (rfc 5705) in addition to the above new features, the following major changes have been introduced: support for certificate signatures using the md5 hash algorithm is now disabled by default.
...for an additional explantation on gpl/lgpl compatibility, see security/nss/copying in the source code.
... nss 3.14 source tarballs can be downloaded from https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_14_rtm/src/.
...And 3 more matches

NSS 3.19.2.1 release notes
introduction network security services (nss) 3.19.2.1 is a patch release for nss 3.19.2.
... the bug fixes in nss 3.19.2.1 are described in the "security advisories" section below.
... nss 3.19.2.1 and nspr 4.10.10 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_2_1_rtm/src/ https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/ security advisories the following security-relevant bugs have been resolved in nss 3.19.2.1.
...And 3 more matches

NSS 3.19.4 release notes
introduction network security services (nss) 3.19.4 is a patch release for nss 3.19.
... the bug fixes in nss 3.19.4 are described in the "security advisories" section below.
... nss 3.19.4 and nspr 4.10.10 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_4_rtm/src/ https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/ security advisories the following security-relevant bugs have been resolved in nss 3.19.4.
...And 3 more matches

NSS 3.20.1 release notes
introduction network security services (nss) 3.20.1 is a patch release for nss 3.20.
... the bug fixes in nss 3.20.1 are described in the "security advisories" section below.
... nss 3.20.1 and nspr 4.10.10 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_20_1_rtm/src/ https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/ security advisories the following security-relevant bugs have been resolved in nss 3.20.1.
...And 3 more matches

Overview of NSS
open source crypto libraries proven application security architecture if you want to add support for ssl, s/mime, or other internet security standards to your application, you can use network security services (nss) to implement all your security features.
...for details, see network security services for java.
... interoperability and open standards you can use nss to support a range of security standards in your application, including the following: ssl v3.
...And 3 more matches

gtstd.html
ssl, pkcs #11, and the default security databases setting up the certificate and key databases building nss programs ssl, pkcs #11, and the default security databases the basic relationships among the nss libraries are described in introduction to network security services.
... before running the sample programs, it's important to understand the relationships between the ssl interface, the pkcs #11 interface, pkcs #11 modules, and the default netscape security databases.
... if you are creating a client application, you can use either the certificate database tool or the communicator security interface to create the database files and populate them with the appropriate certificates and keys.
...And 3 more matches

nsIPrincipal
caps/nsiprincipal.idlscriptable provides the interface to a principal, which represents a security context.
... inherits from: nsiserializable last changed in gecko 2.0 (firefox 4 / thunderbird 3.3 / seamonkey 2.1) for details on principals, how they work, and how to get the appropriate one, see security check basics.
...obsolete since gecko 1.8 csp nsicontentsecuritypolicy a content security policy associated with this principal.
...And 3 more matches

Using the Screen Capture API - Web APIs
this is done for security reasons, as the content that cannot be seen by the user may contain data which they do not want to share.
... note: for privacy and security reasons, screen sharing sources are not enumerable using enumeratedevices().
... security as is always the case when sharing content over a network, it's important to consider the privacy and safety implications of screen sharing.
...And 3 more matches

Window.open() - Web APIs
the returned reference can be used to access properties and methods of the new window as long as it complies with same-origin policy security requirements.
... it is because of the cross-domain script security restriction (also referred as the "same origin policy").
... more reading on the cross-domain script security restriction: http://www.mozilla.org/projects/secu...me-origin.html usability issues avoid resorting to window.open() generally speaking, it is preferable to avoid resorting to window.open() for several reasons: most modern desktop browsers offer tab-browsing, and tab-capable browser users overall prefer opening new tabs than opening new windows in a majority of webpage situations.
...And 3 more matches

CSP: form-action - HTTP
the http content-security-policy (csp) form-action directive restricts the urls which can be used as the target of a form submissions from a given context.
... syntax one or more sources can be set for the form-action policy: content-security-policy: form-action <source>; content-security-policy: form-action <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples meta tag configuration <meta http-equiv="content-security-policy" content="form-action 'none'"> apache configuration <ifmodule mod_headers.c> header set content-security-policy "form-action 'none'; </ifmodule> nginx configuration add_header content-security-policy "form-action 'none';" violation case using a <form> element with an action set to inline javascript will result in a csp violation.
...And 3 more matches

browser - Archive of obsolete content
attributes autocompleteenabled, autocompletepopup, autoscroll, disablehistory, disableglobalhistory, disablesecurity, droppedlinkhandler, homepage, showcaret, src, type properties accessibletype, cangoback, cangoforward, contentdocument, contentprincipal, contenttitle, contentvieweredit, contentviewerfile, contentwindow, currenturi, docshell, documentcharsetinfo, homepage, markupdocumentviewer, messagemanager, preferences, securityui, sessionhistory, webbrowserfind, webnavigation, webprogress methods ...
... disablesecurity type: boolean set this attribute to true to disable the security ui for this browser.
...don't use for content from web, as this may cause serious security problems!
...And 2 more matches

Confidentiality, Integrity, and Availability - Archive of obsolete content
this article discusses the major security objectives: confidentiality, integrity, and availability.
... the classic model for information security defines three objectives of security: maintaining confidentiality, integrity, and availability.
...nearly all the major security incidents reported in the media today involve major losses of confidentiality.
...And 2 more matches

RDF in Mozilla FAQ - Archive of obsolete content
there are several security restrictions on accessing built-in datasources from "untrusted" xul and js.
... what is the security model for rdf/xml in xul?
...-- danbri) another possible problem: for remotely-loaded xul and rdf, you might need to adjust mozilla's security restrictions (see belowfor example code).
...And 2 more matches

Debugging on Mac OS X
debugging firefox on macos 10.14+ macos 10.14 introduced notarization and hardened runtime features for improved application security.
...this is due to notarization requiring hardened runtime to be enabled with the com.apple.security.get-task-allow entitlement disallowed.
... rather than disabling sip (which has security implications), it is recommended to debug with try builds or local builds.
...And 2 more matches

4.3.1 Release Notes
release date: 2009-12-02 introduction network security services for java (jss) 4.3.1 is a minor release with the following new features: support for ssl3 & tls renegotiation vulnerablity support to explicitly set the key usage for the generated private key jss 4.3.1 is tri-licensed under mpl 1.1/gpl 2.0/lgpl 2.1.
... ssl3 & tls renegotiation vulnerability see cve-2009-3555 and us-cert vu#120541 for more information about this security vulnerability.
... see generateeckeypairwithopflags see generatersakeypairwithopflags see generatedsakeypairwithopflags distribution information jss is checked into mozilla/security/jss/.
...And 2 more matches

JSS Provider Notes
by default, the jca provider will be installed in the list of providers maintained by the java.security.security class.
...lgorithm keyspec class desede desedekeyspec des deskeyspec desede des aes rc4 secretkeyspec for increased security, some secretkeys may not be extractable from their pkcs #11 token.
... the class java.security.spec.pbekeyspec in jdk versions earlier than 1.4 does not contain the salt and iteration fields, which are necessary for pbe key generation.
...And 2 more matches

Mozilla-JSS JCA Provider notes
by default, the jca provider will be installed in the list of providers maintained by the java.security.security class.
...e deskeyspec des secretkeyspec aes des desede rc4 getkeyspec supports the following transformations: key algorithm keyspec class desede desedekeyspec des deskeyspec desede des aes rc4 secretkeyspec for increased security, some secretkeys may not be extractable from their pkcs #11 token.
... the class java.security.spec.pbekeyspec in jdk versions earlier than 1.4 does not contain the salt and iteration fields, which are necessary for pbe key generation.
...And 2 more matches

NSS 3.19.2.3 release notes
introduction network security services (nss) 3.19.2.3 is a security patch release for nss 3.19.2.
... the bug fixes in nss 3.19.2.3 are described in the "security fixes" section below.
... nss 3.19.2.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_2_3_rtm/src/ new in nss 3.19.2.3 new functionality no new functionality is introduced in this release.
...And 2 more matches

NSS 3.21.1 release notes
introduction network security services (nss) 3.21.1 is a security patch release for nss 3.21.
... the bug fixes in nss 3.21.1 are described in the "security fixes" section below.
... nss 3.21.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_21_1_rtm/src/ new in nss 3.21.1 new functionality no new functionality is introduced in this release.
...And 2 more matches

NSS 3.22.2 release notes
introduction network security services (nss) 3.22.2 is a security patch release for nss 3.22.
... the bug fixes in nss 3.22.2 are described in the "security fixes" section below.
... nss 3.22.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_22_2_rtm/src/ new in nss 3.22.2 new functionality no new functionality is introduced in this release.
...And 2 more matches

PKCS11 Implement
implementing pkcs #11 for nss note: this document was originally for the netscape security library that came with netscape communicator 4.0.
... installation you can install your module in any convenient location on the user's hard disk, but you must tell the user to type the module name and location in the cryptographic modules portion of the communicator security info window.
... to do so, the user should follow these steps: click the security icon near the top of any communicator window.
...And 2 more matches

NSS tools : vfychain
modutil can add and delete pkcs #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable fips 140-2 compliance, and assign default providers for cryptographic operations.
... this tool can also create certificate, key, and module security database files.
... the tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.
...And 2 more matches

NSS tools : vfychain
modutil can add and delete pkcs #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable fips 140-2 compliance, and assign default providers for cryptographic operations.
... this tool can also create certificate, key, and module security database files.
... the tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.
...And 2 more matches

Split object
to further complicate matters, a and b are in the same security domain, so security checks between them automatically succeed.
... security privileges are granted to js code on the basis of the scope chain of the executing code.
...this security feature is not peculiar to split objects.
...And 2 more matches

Mozilla Projects
network security services network security services (nss) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.
... applications built with nss can support ssl v3, tls, pkcs #5, pkcs #7, pkcs #11, pkcs #12, s/mime, x.509 v3 certificates, and other security standards.
... personal security manager (psm) personal security manager (psm) consists of a set of libraries that perform cryptographic operations on behalf of a client application.
...And 2 more matches

nsIDownloadProgressListener
cationchange(in nsiwebprogress awebprogress, in nsirequest arequest, in nsiuri alocation, in nsidownload adownload); obsolete since gecko 1.9.1 void onprogresschange(in nsiwebprogress awebprogress, in nsirequest arequest, in long long acurselfprogress, in long long amaxselfprogress, in long long acurtotalprogress, in long long amaxtotalprogress, in nsidownload adownload); void onsecuritychange(in nsiwebprogress awebprogress, in nsirequest arequest, in unsigned long astate, in nsidownload adownload); void onstatechange(in nsiwebprogress awebprogress, in nsirequest arequest, in unsigned long astateflags, in nsresult astatus, in nsidownload adownload); void onstatuschange(in nsiwebprogress awebprogress, in nsirequest arequest, in nsresult astatus, in wstring amessa...
... onsecuritychange() called when the level of security being used while downloading changes; for example, if the initial request is made via https but the download switches to http, this function gets called to notify you of that transition.
... void onsecuritychange( in nsiwebprogress awebprogress, in nsirequest arequest, in unsigned long astate, in nsidownload adownload ); parameters awebprogress the nsiwebprogress instance used by the download manager to monitor downloads.
...And 2 more matches

FileSystemFlags - Web APIs
note that these option flags currently don't have any useful meaning when used in the scope of web content, where security precautions prevent the creation of new files or the replacement of existing ones.
... 13prefixed prefixed implemented with the vendor prefix: webkitedge full support ≤79prefixed full support ≤79prefixed prefixed implemented with the vendor prefix: webkitfirefox partial support 50notes partial support 50notes notes for security reasons, firefox does not support creating files.
... yesprefixed prefixed implemented with the vendor prefix: webkitchrome android full support yesprefixed full support yesprefixed prefixed implemented with the vendor prefix: webkitfirefox android partial support 50notes partial support 50notes notes for security reasons, firefox does not support creating files.
...And 2 more matches

Web Authentication API - Web APIs
this resolves significant security problems related to phishing, data breaches, and attacks against sms texts or other second-factor authentication methods while at the same time significantly increasing ease of use (since users don't have to manage dozens of increasingly complicated passwords).
...the authenticator may be embedded into an operating system, such as windows hello, or may be a physical token, such as a usb or bluetooth security key.
...note that it is absolutely critical that the challenge be a buffer of random information (at least 16 bytes) and it must be generated on the server in order to ensure the security of the registration process.
...And 2 more matches

window.postMessage() - Web APIs
security concerns if you do not expect to receive messages from other sites, do not add any event listeners for message events.
... this is a completely foolproof way to avoid security problems.
...otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.
...And 2 more matches

HTTP authentication - HTTP
authentication of cross-origin images a potential security hole recently been fixed by browsers is authentication of cross-site images.
...schemes can differ in security strength and in their availability in client or server software.
... security of basic authentication as the user id and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure.
...And 2 more matches

CSP: base-uri - HTTP
the http content-security-policy base-uri directive restricts the urls which can be used in a document's <base> element.
... syntax one or more sources can be allowed for the base-uri policy: content-security-policy: base-uri <source>; content-security-policy: base-uri <source> <source>; sources while this directive uses the same arguments as other csp directives, some of them don’t make sense for `<base>`, such as the keywords 'unsafe-inline' and 'strict-dynamic' <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples meta tag configuration <meta http-equiv="content-security-policy" content="base-uri 'self'"> apache configuration <ifmodule mod_headers.c> header set content-security-policy "base-uri 'self'"; </ifmodule> nginx configuration add_header content-security-policy "base-uri 'self';" violation case since your domain isn't example.com, a <base> element with its href set to https://example.com will result in a csp violation.
...And 2 more matches

CSP: connect-src - HTTP
the http content-security-policy (csp) connect-src directive restricts the urls which can be loaded using script interfaces.
... syntax one or more sources can be allowed for the connect-src policy: content-security-policy: connect-src <source>; content-security-policy: connect-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: connect-src https://example.com/ the following connections are blocked and won't load: <a ping="https://not-example.com"> <script> var xhr = new xmlhttprequest(); xhr.open('get', 'https://not-example.com/'); xhr.send(); var ws = new websocket("https://not-example.com/"); var es = new eventsource("https://not-example.com/"); navigator.sendbeacon("https://not-example.com/"...
...And 2 more matches

CSP: default-src - HTTP
the http content-security-policy (csp) default-src directive serves as a fallback for the other csp fetch directives.
...ctive and uses this value for it: child-src connect-src font-src frame-src img-src manifest-src media-src object-src prefetch-src script-src script-src-elem script-src-attr style-src style-src-elem style-src-attr worker-src csp version 1 directive type fetch directive syntax one or more sources can be allowed for the default-src policy: content-security-policy: default-src <source>; content-security-policy: default-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the following header: content-security-policy: default-src 'self'; script-src https://example.com is the same as: content-security-policy: connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; object-src 'self'; ...
...And 2 more matches

CSP: object-src - HTTP
the http content-security-policy object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements.
... elements controlled by object-src are perhaps coincidentally considered legacy html elements and aren't receiving new standardized features (such as the security attributes sandbox or allow for <iframe>).
... syntax one or more sources can be allowed for the object-src policy: content-security-policy: object-src <source>; content-security-policy: object-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...And 2 more matches

CSP: sandbox - HTTP
the http content-security-policy (csp) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute.
... csp version 1.1 / 2 directive type document directive this directive is not supported in the <meta> element or by the content-security-policy-report-only header field.
... syntax content-security-policy: sandbox; content-security-policy: sandbox <value>; where <value> can optionally be one of the following values: allow-downloads-without-user-activation allows for downloads to occur without a gesture from the user.
...And 2 more matches

Creating Reusable Modules - Archive of obsolete content
md5 is a commonly used hash function: although it's no longer considered secure, it works fine outside a security context.
...rcode) { return ("0" + charcode.tostring(16)).slice(-2); } function md5file(path) { var f = cc["@mozilla.org/file/local;1"] .createinstance(ci.nsilocalfile); f.initwithpath(path); var istream = cc["@mozilla.org/network/file-input-stream;1"] .createinstance(ci.nsifileinputstream); // open for reading istream.init(f, 0x01, 0444, 0); var ch = cc["@mozilla.org/security/hash;1"] .createinstance(ci.nsicryptohash); // we want to use the md5 algorithm ch.init(ch.md5); // this tells updatefromstream to read the entire file const pr_uint32_max = 0xffffffff; ch.updatefromstream(istream, pr_uint32_max); // pass false here to get binary data back var hash = ch.finish(false); // convert the binary hash data to a hex string.
...rcode) { return ("0" + charcode.tostring(16)).slice(-2); } function md5file(path) { var f = cc["@mozilla.org/file/local;1"] .createinstance(ci.nsilocalfile); f.initwithpath(path); var istream = cc["@mozilla.org/network/file-input-stream;1"] .createinstance(ci.nsifileinputstream); // open for reading istream.init(f, 0x01, 0444, 0); var ch = cc["@mozilla.org/security/hash;1"] .createinstance(ci.nsicryptohash); // we want to use the md5 algorithm ch.init(ch.md5); // this tells updatefromstream to read the entire file const pr_uint32_max = 0xffffffff; ch.updatefromstream(istream, pr_uint32_max); // pass false here to get binary data back var hash = ch.finish(false); // convert the binary hash data to a hex string.
...rcode) { return ("0" + charcode.tostring(16)).slice(-2); } function md5file(path) { var f = cc["@mozilla.org/file/local;1"] .createinstance(ci.nsilocalfile); f.initwithpath(path); var istream = cc["@mozilla.org/network/file-input-stream;1"] .createinstance(ci.nsifileinputstream); // open for reading istream.init(f, 0x01, 0444, 0); var ch = cc["@mozilla.org/security/hash;1"] .createinstance(ci.nsicryptohash); // we want to use the md5 algorithm ch.init(ch.md5); // this tells updatefromstream to read the entire file const pr_uint32_max = 0xffffffff; ch.updatefromstream(istream, pr_uint32_max); // pass false here to get binary data back var hash = ch.finish(false); // convert the binary hash data to a hex string.

Appendix D: Loading Scripts - Archive of obsolete content
security: sandbox objects are initialized with a security principal object, or otherwise a window or url from which to derive one.
...the script will execute in the same security context as the current script and will have access to the same globals, but any new globals it creates will be accessible only to the script itself.
...the script will execute with the security principal of and have access to the global properties of the current global.
...the script will execute in the same security context as the current script and will have access to the same globals, but any new globals it creates will be accessible only to the script itself.

Signing an XPI - Archive of obsolete content
get network security services 1.
... download the latest network security services (nss) package from the mozilla ftp site at https://ftp.mozilla.org/pub/mozilla.or.../nss/releases/.
... warning: performing this operation while the browser is running could cause corruption of your security databases.
... don't forget to delete the certificate from mozilla firefox once you've finished testing firefox 1.5: from the tools menu choose options->advanced->security->view certificates->authorities firefox 1.0: from the tools menu choose options->advanced->certificates->manage certificates->authorities press the import button.

List of Mozilla-Based Applications - Archive of obsolete content
itoring package astyle css editor editing tool atmail webmail client aviva for java mainframe connectivity product uses mozilla rhino babelgum internet tv service basilisk pre-servo xul-based web browser uses most of the firefox 55 source code batik java-based toolkit uses mozilla rhino bitbox security focused browser seemingly based on firefox blackbird browser for african american community bluegriffon wysiwyg editor next generation version of composer buzzbird twitter client built on xulrunner camino browser 2.5m downloads and ~400,000 active users ...
...m lotus notes and sametime can embed xul applications lucidor e-book reader lx-office accounting tool looks like it makes at least some use of xul maavis simple ui & communications for accessibility framework designed for elderly people with dementia but other applications mac os x operating system makes use of some mpl files such as libsecurity_asn1 maemo browser browser for maemo internet tablet development name is microb magooclient business process management tool uses mozilla rhino mantra security tool mccoy secure update tool for add-ons xulrunner application mediacoder media converter transcoder for video, audio, and even devices such as zen, zune, pocketp...
... uox3 ultima online server-emulator uses mozilla spidermonkey verbosio xml editor no releases available verseminder bible passage app virgin media security security tools seems to use xulrunner virtualbox virtualization tool use xpcom as its component model on linux waterfox 64-bit variant of firefox based on firefox webissimo web browser based on xulrunner websecurify web application security testing environment wesabe money management tool automatic uploader is a xul...
... other places to find mozilla applications include: http://www.mozilla.org/projects/ http://developer.mozilla.org/en/docs/xulrunner_hall_of_fame http://www.mozdev.org http://xulapps.net/ http://dmoz.org/computers/data_formats/markup_languages/xml/applications/xul/applications/ http://blog.mozbox.org/post/2007/06/14/xul-activity-in-france http://www.mozilla.org/projects/security/pki/nss/overview.html http://en.wikipedia.org/wiki/spidermonkey_(javascript_engine) http://www.mozilla.org/rhino/users.html http://groups.google.com/group/mozilla.dev.tech.js-engine.rhino/browse_thread/thread/4eb9162c9c3054b0/1d4115b40373ca3b?lnk=raot http://www.ohloh.net/tags/xulrunner ...

2006-10-06 - Archive of obsolete content
summary: mozilla.dev.security - september 30, 2006 to october 6, 2006 return to mozilla-dev-tech-xul announcements none during this week.
...as well as any protocols that you have implemented and are not in the list of protocols nsscriptsecuritymanager::checkloaduri feed: consensus is that it should be allowed and treated as an ordinary link.
... webcal: & swebcal: should also be allowed as the security manager doesn't differentiate between access types.
... other this is for allowing protocol handlers to define a custom security model (see bug 120373).

Client-side form validation - Learn web development
however, client-side validation should not be considered an exhaustive security measure!
... your apps should always perform security checks on any form-submitted data on the server-side as well as the client-side, because client-side validation is too easy to bypass, so malicious users can still easily send bad data through to your server.
... read website security for an idea of what could happen; implementing server-side validation is somewhat beyond the scope of this module, but you should bear it in mind.
...there are many ways that malicious users can misuse unprotected forms to damage the application (see website security).

Index - Learn web development
223 website security beginner, codingscripting, guide, intro, learn, security, server-side programming, web security, website security this article has explained the concept of web security and some of the more common threats against which your website should attempt to protect.
... 323 sending form data beginner, codingscripting, files, forms, guide, html, http, headers, security, web as we'd alluded to above, sending form data is easy, but securing an application can be tricky.
... just remember that a front-end developer is not the one who should define the security model of the data.it's possible to perform client-side form validation, but the server can't trust this validation because it has no way to truly know what has really happened on the client-side.
... 324 sending forms through javascript advanced, example, forms, forms guide, guide, html, html forms, javascript, learn, security, web, web forms html forms can send an http request declaratively.

Experimental features in Firefox
nightly 81 yes developer edition — — beta — — release — — preference name — security and privacy block plain text requests from flash on encrypted pages in order to help mitigate man-in-the-middle (mitm) attacks caused by flash content on encrypted pages, a preference has been added to treat object_subrequests as active content.
... nightly 59 no developer edition 59 no beta 59 no release 59 no preference name security.mixed_content.block_object_subrequest insecure page labeling these two preferences add a "not secure" text label in the address bar next to the traditional lock icon when a page is loaded insecurely (that is, using http rather than https).
... nightly 60 no developer edition 60 no beta 60 no release 60 no preference name security.insecure_connection_text.enabled for normal browsing mode; security.insecure_connection_text.pbmode.enabled for private browsing mode upgrading mixed display content when enabled, this preference causes firefox to automatically upgrade requests for media content from http to https on secure pages.
... nightly 60 no developer edition 60 no beta 60 no release 60 no preference name security.mixed_content.upgrade_display_content ftp support disabled for security reasons, mozilla intends to remove support for ftp from firefox in 2020, effective in firefox 82.

OS.File for the main thread
winsecurity (ignored under non-windows platforms) if specified, a security policy, as per windows function createfile.
... if unspecified, no security attributes.
... winsecurity (ignored under non-windows platforms) if specified, a security policy, as per windows function createdirectory.
... if unspecified, no security attributes.

Mozilla DOM Hacking Guide
static nsiscriptsecuritymanager *ssecman: used by the dom security engine.
... static prbool sdosecuritycheckinaddproperty;: help me!
...then the script security manager (ssecman) is initialized.
... security features implementation this chapter has not been written yet.

Mozilla Port Blocking
by default, mozilla now blocks access to specific ports which are used by vulnerable services in order to prevent security vulnerabilites due to "cross-protocol scripting".
..."access to the port number given has been disabled for security reasons." "establishing a connection to an unsafe or otherwise banned port was prohibited" "0x804b0013 (ns_error_port_access_not_allowed)" if your product or web site uses a port which is blocked by mozilla's default port blocking rules, you can either change the port of your service to a unblocked value (recommended if possible) or ask your mozilla users to enable the port.
...enabling ports user_pref("network.security.ports.banned.override, "port1,port2"); disabling ports user_pref("network.security.ports.banned", "port3,port4"); blocked ports ports blocked by default in mozilla: port service 1 tcpmux 7 echo 9 discard 11 systat 13 daytime 15 netstat 17 qotd 19 chargen 20 ftp data 21...
...you must have a good reason for the change, a deep understanding of the security risk involved and be able to justify it.

JSS
legacy jss information can still be found at: source: https://hg.mozilla.org/projects/jss issues: https://bugzilla.mozilla.org/buglist.cgi?product=jss wiki: /docs/mozilla/projects/nss/jss network security services for java (jss) is a java interface to nss.
... jss supports most of the security standards and encryption technologies supported by nss.
...while jdk 1.4.2 is eol'd and all new product development should be using the latest javase, legacy business products that must use jdk 1.4 or 1.5 can continue to add nss/jss security fixes/enhancements.
... mailing list newsgroup rss feed related topics security ...

NSS_3.12.2_release_notes.html
nss 3.12.2 release notes 2008-10-20 newsgroup: mozilla.dev.tech.crypto contents introduction distribution information new in nss 3.12.2 bugs fixed documentation compatibility feedback introduction network security services (nss) 3.12.2 is a patch release for nss 3.12.
...nss 3.12.2 source and binary distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_2_rtm/src/.
... binary distributions: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_2_rtm/.
... bug 450427: add comodo ecc certification authority certificate to nss bug 450536: remove obsolete xp_mac code bug 451024: certutil.exe crashes with segmentation fault inside pr_cleanup bug 451927: security/coreconf/winnt6.0.mk has invalid defines bug 452751: slot leak in pk11_findslotsbynames bug 452865: remove obsolete linker flags needed when libnss3 was linked with libsoftokn3 bug 454961: fix the implementation and use of pr_fgets in signtool bug 455348: change hyphens to underscores in debug_$(shell whoami).

NSS 3.19.2.4 release notes
introduction network security services (nss) 3.19.2.4 is a security patch release for nss 3.19.2.
... the bug fixed in nss 3.19.2.4 have been described in the "security fixes" section below.
... nss 3.19.2.4 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_2_4_rtm/src/ new in nss 3.19.2.4 new functionality no new functionality has been introduced in this release.
... security fixes in nss 3.19.2.4 the following security fixes from nss 3.21 have been backported to nss 3.19.2.4: bug 1185033 / cve-2016-1979 - use-after-free during processing of der encoded keys in nss bug 1209546 / cve-2016-1978 - use-after-free in nss during ssl connections in low memory bug 1190248 / cve-2016-1938 - errors in mp_div and mp_exptmod cryptographic functions in nss compatibility nss 3.19.2.4 shared libraries are backward compatible with all older nss 3.x shared libraries.

NSS 3.21.2 release notes
introduction network security services (nss) 3.21.2 is a security patch release for nss 3.21.1.
... the bug fixes in nss 3.21.2 are described in the "security fixes" section below.
... nss 3.21.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_21_2_rtm/src/ new in nss 3.21.2 new functionality no new functionality is introduced in this release.
... security fixes in nss 3.21.2 bug 1293334 / cve-2016-9074 - fixed a timing side channel in the tls cbc code.

NSS 3.21.3 release notes
introduction network security services (nss) 3.21.3 is a security patch release for nss 3.21.2.
... the bug fixes in nss 3.21.3 are described in the "security fixes" section below.
... nss 3.21.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_21_3_rtm/src/ new in nss 3.21.3 new functionality no new functionality is introduced in this release.
... security fixes in nss 3.21.3 bug 1306103 / cve-2016-5285 - fixed a possible dos on nss servers due to a missing null check.

NSS 3.23 release notes
introduction the nss team has released network security services (nss) 3.23, which is a minor release.
... nss 3.23 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_23_rtm/src/ new in nss 3.23 new functionality chacha20/poly1305 cipher and tls cipher suites now supported (bug 917571, bug 1227905) experimental-only support tls 1.3 1-rtt mode (draft-11).
...rk ca 2 sha-256 fingerprint: b6:76:f2:ed:da:e8:77:5c:d3:6c:b0:f6:3c:d1:d4:60:39:61:f4:9e:62:65:ba:01:3a:2f:03:07:b6:d0:b8:04 the following ca certificate had the email trust bit turned on cn = actalis authentication root ca sha-256 fingerprint: 55:92:60:84:ec:96:3a:64:b9:6e:2a:be:01:ce:0b:a8:6a:64:fb:fe:bc:c7:aa:b5:af:c1:55:b3:7f:d7:60:66 security fixes in nss 3.23 bug 1245528 / cve-2016-1950 - fixed a heap-based buffer overflow related to the parsing of certain asn.1 structures.
... bugs fixed in nss 3.23 this bugzilla query returns all the bugs fixed in nss 3.23: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advanced&product=nss&target_milestone=3.23 acknowledgements the nss development team would like to thank security researcher francis gabriel for responsibly disclosing the issue in bug 1245528.

NSS 3.35 release notes
introduction the nss team has released network security services (nss) 3.35, which is a minor release.
... nss 3.35 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_35_rtm/src/ new in nss 3.35 new functionality tls 1.3 support has been updated to draft -23.
... for stronger security, when creating encrypted pkcs#7 or pkcs#12 data, the iteration count for the password based encryption algorithm has been increased to one million iterations.
... the following ca certificates were removed: ou = security communication ev rootca1 sha-256 fingerprint: a2:2d:ba:68:1e:97:37:6e:2d:39:7d:72:8a:ae:3a:9b:62:96:b9:fd:ba:60:bc:2e:11:f6:47:f2:c6:75:fb:37 cn = ca disig root r1 sha-256 fingerprint: f9:6f:23:f4:c3:e7:9c:07:7a:46:98:8d:5a:f5:90:06:76:a0:f0:39:cb:64:5d:d1:75:49:b2:16:c8:24:40:ce cn = dst aces ca x6 sha-256 fingerprint: 76:7c:95:5a:76:41:2c:89...

NSS 3.44.4 release notes
introduction the nss team has released network security services (nss) 3.44.4 on 19 may 2020.
... this is a security patch release.
... thank you to cesar pereida garcia and the network and information security group (nisec) at tampere university for reporting this issue.
... nss 3.44.4 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_44_4_rtm/src/ other releases are available in nss releases.

NSS 3.52.1 release notes
introduction the nss team has released network security services (nss) 3.52.1 on 19 may 2020.
... this is a security patch release.
... thank you to cesar pereida garcia and the network and information security group (nisec) at tampere university for reporting this issue.
... nss 3.52.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_52_1_rtm/src/ other releases are available in nss releases.

NSS 3.53.1 release notes
introduction the nss team has released network security services (nss) 3.53.1 on 16 june 2020.
... this is a security patch release.
... thank you to sohaib ul hassan, billy bob brumley, and the network and information security group (nisec) at tampere university for reporting this issue and providing a patch.
... nss 3.53.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_53_1_rtm/src/ other releases are available in nss releases.

NSS tools : ssltab
see also the nss security tools are also documented at [1]http://www.mozilla.org/projects/security/pki/nss/.
... additional resources nss is maintained in conjunction with pki and security-related projects through mozilla dn fedora.
...for information specifically about nss, the nss project wiki is located at [3]http://www.mozilla.org/projects/security/pki/nss/.
...http://www.mozilla.org/projects/security/pki/nss/ ...

NSS tools : ssltap
see also the nss security tools are also documented at [1]http://www.mozilla.org/projects/security/pki/nss/.
... additional resources nss is maintained in conjunction with pki and security-related projects through mozilla dn fedora.
...for information specifically about nss, the nss project wiki is located at [3]http://www.mozilla.org/projects/security/pki/nss/.
...http://www.mozilla.org/projects/security/pki/nss/ ...

NSS tools : signtool
electronic software distribution over any network involves potential security problems.
... to see fully qualified certificate names when you run communicator, click the security button in navigator, then click yours under certificates in the left frame.
... o https://wiki.mozilla.org/nss_shared_db_howto o https://wiki.mozilla.org/nss_shared_db additional resources for information about nss and other tools related to nss (like jss), check out the nss project wiki at [1]http://www.mozilla.org/projects/security/pki/nss/.
...http://www.mozilla.org/projects/security/pki/nss/ ...

NSS tools : ssltap
see also the nss security tools are also documented at [1]http://www.mozilla.org/projects/security/pki/nss/.
... additional resources nss is maintained in conjunction with pki and security-related projects through mozilla dn fedora.
... for information specifically about nss, the nss project wiki is located at [3]http://www.mozilla.org/projects/security/pki/nss/.
...http://www.mozilla.org/projects/security/pki/nss/ ...

JS_CompileFunctionForPrincipals
create a security-enabled js function from a text string.
... principals jsprincipals * pointer to the structure holding the security information for this function.
... description js_compilefunctionforprincipals compiles a security-enabled function from a text string, bytes, and associates it with a js object, obj.
... principals is a pointer to the jsprincipals structure that contains the security information to associate with this function.

JS_CompileScriptForPrincipals
compile a security-enabled script for execution.
... principals jsprincipals * pointer to the structure holding the security information for this script.
... description js_compilescriptforprincipals compiles a security-enabled script, src, for execution.
... principals is a pointer to the jsprincipals structure that contains the security information to associate with this script.

JS_GetParent
applications that use spidermonkey's custom security features can use the parent during security checks, as a convenient way to determine the security domain of an object being accessed.
... the typical rule is that every object is in the same security domain as its parent.
... (but each application can define its own security rules.
... see the security section of the user guide for an introduction to the security model.) in some cases, javascript code can get an object's parent via the read-only obj.__parent__ property.

nsIAuthModule
unwrap() this method is used to unpack, decrypt, and verify the checksums on data returned by a server when security layers are in use.
... exceptions thrown ns_error_not_implemented if the underlying authentication mechanism does not support security layers.
... wrap() once a security context has been established through calls to getnexttoken() it may be used to protect data exchanged between client and server.
... exceptions thrown ns_error_not_implemented if the underlying authentication mechanism does not support security layers.

nsIPushService
example const { classes: cc, interfaces: ci, utils: cu } = components; const scriptsecuritymanager = cc["@mozilla.org/scriptsecuritymanager;1"] .getservice(ci.nsiscriptsecuritymanager); const pushservice = cc["@mozilla.org/push/service;1"] .getservice(ci.nsipushservice); pushservice.subscribe( "chrome://my-module/push", scriptsecuritymanager.getsystemprincipal(), (code, subscription) => { if (!components.issuccesscode(code...
... example pushservice.getsubscription( "chrome://my-module/push", scriptsecuritymanager.getsystemprincipal(), (code, subscription) => { if (!components.issuccesscode(code)) { cu.reporterror("error fetching subscription: " + code); return; } // `subscription == null` if the `(scope, principal)` pair doesn't have a // push subscription.
... example pushservice.unsubscribe( "chrome://my-module/push", scriptsecuritymanager.getsystemprincipal(), (code, ok) => { if (!components.issuccesscode(code)) { cu.reporterror("error unsubscribing: " + code); return; } // `ok === true` if the subscription was removed, or `false` if the // `(scope, principal)` pair didn't have a subscription.
... pushservice.subscribe( this.scope, scriptsecuritymanager.getsystemprincipal(), (code, subscription) => { // ...

XPCOM Interface Reference by grouping
security this section contains apis for secure channel communications system this section contains application level interfaces including calls to external support elements (such as device calls).
...isupportspruint16 nsisupportspruint32 nsisupportspruint64 nsisupportspruint8 nsisupportsstring nsisupportsvoid nsisupportsweakreference nsivariant do not use nsienumerator nsiinprocesscontentframemessagemanager nsiscriptableio nsixpcscriptable future nsixmlhttprequestupload obsolete nsixmlrpcclient nsixmlrpcfault security auth nsiauthmodule nsiauthprompt nsiauthpromptprovider nsiauthpromptwrapper nsiasyncverifyredirectcallback content nsicontentpolicy credentials nsilogininfo nsiloginmanager using nsiloginmanager nsiloginmanagerstorage nsiloginmetainfo hi...
...service nsiprotocolhandler nsiprotocolproxycallback nsiprotocolproxyfilter nsiprotocolproxyservice nsiproxyinfo preferences nsiiniparser nsiiniparserfactory nsiprefbranch nsiprefbranch2 nsipreflocalizedstring nsiprefservice nsistringbundle nsistringbundleservice security cookies nsicookie nsicookie2 nsicookieacceptdialog nsicookieconsent nsicookiemanager nsicookiemanager2 nsicookiepermission nsicookiepromptservice nsicookieservice nsicookiestorage nsisessionstore crypto ...
... nsicryptohash filter nsiparentalcontrolsservice nsipermission nsipermissionmanager nsisecuritycheckedcomponent ssl nsisslerrorlistener stream stream nsipipe nsitraceablechannel nsitransport nsitransporteventsink nsitransportsecurityinfo timer nsitimer nsitimercallback ui windows nsitaskbarpreview nsitaskbarpreviewbutton nsitaskbarpreviewcontroller nsitaskbarprogress nsitaskbartabprevi...

Mozilla
browser security an important aspect of developing code for any browser, including firefox, as well as any web-oriented project, is its security.
... mozilla web services security model (this document is being compiled from scattered documentation and source code and most of the information in it has not been verified.
... please do not depend on anything in it being correct for security.) namespace below, find links to articles about c++ classes mozilla uses within various namespaces, primarily the mozilla namespace.
...it is intended primarily for developers, and deliberately omits some topics that will be important in any redis deployment, like security and backups.

Network request details - Firefox Developer Tools
the tabs at the top of this pane enable you to switch between the following pages: headers messages (only for websocket items) cookies params response cache timings security (only for secure pages) stack trace (only when the request has a stack trace, e.g.
...see https://en.wikipedia.org/wiki/special:centralautologin/p3p for more info.\"" }, { "name": "server", "value": "mw1316.eqiad.wmnet" }, { "name": "server-timing", "value": "cache;desc=\"pass\"" }, { "name": "strict-transport-security", "value": "max-age=106384710; includesubdomains; preload" }, { "name": "vary", "value": "accept-encoding,treat-as-untrusted,x-forwarded-proto,cookie,authorization,x-seven" }, { "name": "via", "value": "1.1 varnish (varnish/5.1), 1.1 varnish (varnish/5.1)" }, { "name": "x-analytics", "value": "ns=-1;specia...
... security tab if the site is being served over https, you get an extra tab labeled "security".
... this contains details about the secure connection used including the protocol, the cipher suite, and certificate details: the security tab shows a warning for security weaknesses.

Network request list - Firefox Developer Tools
if the request used ssl/tls and the connection had security weaknesses such as weak ciphers, you'll see a warning triangle next to the domain.
... there's an icon next to the domain that gives you extra information about the security status of that request.
... see security icons.
... image thumbnails if the request is for an image, hovering over its filename shows a preview of the image in a tooltip: security icons the network monitor displays an icon in the domain column: this gives you extra information about the security status of the request: icon meaning https weak https (for example, a weak cipher was used) failed https (for example, a certificate was invalid) http localhost indicates that the url ...

DirectoryEntrySync - Web APIs
security_err the browser determined that it was not safe to look up the metadata.
... security_err the application does not have permission to access the element referred to by path.
... security_err the application does not have permission to access the element referred to by path.
... security_err the application does not have permission to access the target directory, its parent, or some of its contents.

Element.innerHTML - Web APIs
security considerations it is not uncommon to see innerhtml used to insert text into a web page.
... there is potential for this to become an attack vector on a site, creating a potential security risk.
... however, there are ways to execute javascript without using <script> elements, so there is still a security risk whenever you use innerhtml to set strings over which you have no control.
... warning: if your project is one that will undergo any form of security review, using innerhtml most likely will result in your code being rejected.

FileError - Web APIs
don't run your app from file:// for security reasons, browsers do not allow you to run your app from file://.
...when you're just testing your app, and you don't want to set up a web server, you can bypass the security restriction on chrome.
... security_err 2 access to the files were denied for one of the following reasons: the files might be unsafe for access within a web application.
... other unspecified security error code or situations.

FileSystemDirectoryEntry.removeRecursively() - Web APIs
fileerror.security_err the directory could not be removed for security reasons.
... other security concerns as raised by the user agent or the operating system.
...ernetremoverecursively deprecatednon-standardchrome full support 8edge full support 79firefox no support 50 — 52notes no support 50 — 52notes notes while the removerecursively() method existed, it immediately called the error callback with ns_error_dom_security_err.ie no support noopera no support nosafari no support nowebview android full support ≤37chrome android full support 18firefox android no support ...
... 50 — 52notes no support 50 — 52notes notes while the removerecursively() method existed, it immediately called the error callback with ns_error_dom_security_err.opera android no support nosafari ios no support nosamsung internet android full support yeslegend full support full support no support no supportnon-standard.

Introduction to the File and Directory Entries API - Web APIs
it also describes restrictions that raise security errors if you ignore them.
... restrictions for security reasons, browsers impose restrictions on file access.
... if you ignore them, you will get security errors.
... the security boundary imposed on file system prevents applications from accessing data with a different origin.

Reporting API - Web APIs
the reporting api provides a generic reporting mechanism for web applications to use to make reports available based on various platform features (for example content security policy, feature-policy, or feature deprecation reports) in a consistent manner.
...such information can include: content security policy violations.
... occurrence of user-agent interventions (when the browser blocks something your code is trying to do because it is deemed a security risk for example, or just plain annoying, like auto-playing audio).
...for security or user annoyance reasons.

Using WebRTC data channels - Web APIs
since all webrtc components are required to use encryption, any data transmitted on an rtcdatachannel is automatically secured using datagram transport layer security (dtls).
... see security below for more information.
... security all data transferred using webrtc is encrypted.
... in the case of rtcdatachannel, the encryption used is datagram transport layer security (dtls), which is based on transport layer security (tls).

Writing WebSocket servers - Web APIs
section 10 discusses security and you should definitely peruse it before exposing your server.
...the server must be careful to understand everything the client asks for, otherwise security issues can occur.
...you can use this header for security (checking for same origin, automatically allowing or denying, etc.) and send a 403 forbidden if you don't like what you see.
...this is important because security issues might arise if the server accepts a websockets connection but interprets the data as a http request.

Using Web Workers - Web APIs
content security policy workers are considered to have their own execution context, distinct from the document that created them.
... for this reason they are, in general, not governed by the content security policy of the document (or parent worker) that created them.
... so for example, suppose a document is served with the following header: content-security-policy: script-src 'self' among other things, this will prevent any scripts it includes from using eval().
... to specify a content security policy for the worker, set a content-security-policy response header for the request which delivered the worker script itself.

<iframe>: The Inline Frame element - HTML: Hypertext Markup Language
see the article privacy, permissions, and information security for details on security issues and how <iframe> works with feature policy to keep systems safe.
... csp a content security policy enforced for the embedded resource.
... strict-origin: only send the origin of the document as the referrer when the protocol security level stays the same (https→https), but don't send it to a less secure destination (https→http).
... strict-origin-when-cross-origin: send a full url when performing a same-origin request, only send the origin when the protocol security level stays the same (https→https), and send no header to a less secure destination (https→http).

<link>: The External Resource Link element - HTML: Hypertext Markup Language
for example: <link href="print.css" rel="stylesheet" media="print"> <link href="mobile.css" rel="stylesheet" media="screen and (max-width: 600px)"> some interesting new performance and security features have been added to the <link> element too.
... when using <link> to establish a favicon for a site, and your site uses a content security policy (csp) to enhance its security, the policy applies to the favicon.
... if you encounter problems with the favicon not loading, verify that the content-security-policy header's img-src directive is not preventing access to it.
...it specifies the type of content being loaded by the <link>, which is necessary for request matching, application of correct content security policy, and setting of correct accept request header.

Evolution of HTTP - HTTP
relaxing the security-model of the web http is independent of the security model of the web, the same-origin policy.
... in fact, the current web security model has been developed after the creation of http!
...these are defined in specifications like cross-origin resource sharing (cors) or the content security policy (csp).
... the introduction of security-related prefixes in the cookie header, now helps guarantee a secure cookie has not been altered.

CSP: child-src - HTTP
the http content-security-policy (csp) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.
... syntax one or more sources can be allowed for the child-src policy: content-security-policy: child-src <source>; content-security-policy: child-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: child-src https://example.com/ this <iframe> and worker are blocked and won't load: <iframe src="https://not-example.com"></iframe> <script> var blockedworker = new worker("data:application/javascript,..."); </script> specifications specification status comment content security policy level 3the definition of 'child-src' in that specification.
... content security policy level 2the definition of 'child-src' in that specification.

CSP: font-src - HTTP
the http content-security-policy (csp) font-src directive specifies valid sources for fonts loaded using @font-face.
... syntax one or more sources can be allowed for the font-src policy: content-security-policy: font-src <source>; content-security-policy: font-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: font-src https://example.com/ the following font resource loading is blocked and won't load: <style> @font-face { font-family: "myfont"; src: url("https://not-example.com/font"); } body { font-family: "myfont"; } </style> specifications specification status comment content security policy level 3the definition of 'font-src' in that specifica...
... content security policy level 2the definition of 'font-src' in that specification.

CSP: frame-ancestors - HTTP
the http content-security-policy (csp) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
... syntax one or more sources can be set for the frame-ancestors policy: content-security-policy: frame-ancestors <source>; content-security-policy: frame-ancestors <source> <source>; sources <source> can be one of the following: the frame-ancestors directive’s syntax is similar to a source list of other directives (e.g.
... examples content-security-policy: frame-ancestors 'none'; content-security-policy: frame-ancestors 'self' https://www.example.org; specifications specification status comment content security policy level 3the definition of 'frame-ancestors' in that specification.
... content security policy level 2the definition of 'frame-ancestors' in that specification.

CSP: frame-src - HTTP
the http content-security-policy (csp) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
... syntax one or more sources can be allowed for the frame-src policy: content-security-policy: frame-src <source>; content-security-policy: frame-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: frame-src https://example.com/ the following <iframe> is blocked and won't load: <iframe src="https://not-example.com/"></iframe> specifications specification status comment content security policy level 3the definition of 'frame-src' in that specification.
... content security policy level 2the definition of 'frame-src' in that specification.

CSP: img-src - HTTP
the http content-security-policy img-src directive specifies valid sources of images and favicons.
... syntax one or more sources can be allowed for the img-src policy: content-security-policy: img-src <source>; content-security-policy: img-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: img-src https://example.com/ the following <img> is blocked and won't load: <img src="https://not-example.com/foo.jpg" alt="example picture"> specifications specification status comment content security policy level 3the definition of 'img-src' in that specification.
... content security policy level 2the definition of 'img-src' in that specification.

CSP: media-src - HTTP
the http content-security-policy (csp) media-src directive specifies valid sources for loading media using the <audio> and <video> elements.
... syntax one or more sources can be allowed for the media-src policy: content-security-policy: media-src <source>; content-security-policy: media-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: media-src https://example.com/ the following <audio>, <video> and <track> elements are blocked and won't load: <audio src="https://not-example.com/audio"></audio> <video src="https://not-example.com/video"> <track kind="subtitles" src="https://not-example.com/subtitles"> </video> specifications specification status comment content security policy level 3...
... content security policy level 2the definition of 'media-src' in that specification.

CSP: navigate-to - HTTP
the http content-security-policy (csp) navigate-to directive restricts the urls to which a document can initiate navigations by any means including <form> (if form-action is not specified), <a>, window.location, window.open, etc.
... syntax one or more sources can be set for the navigate-to policy: content-security-policy: navigate-to <source>; content-security-policy: navigate-to <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples meta tag configuration <meta http-equiv="content-security-policy" content="navigate-to 'none'"> violation case using a <form> element with an action set to inline javascript will result in a csp violation.
... <meta http-equiv="content-security-policy" content="navigate-to 'none'"> <form action="javascript:alert('foo')" id="form1" method="post"> <input type="text" name="fieldname" value="fieldvalue"> <input type="submit" id="submit" value="submit"> </form> specifications specification status comment content security policy level 3the definition of 'navigate-to' in that specification.

CSP: plugin-types - HTTP
the http content-security-policy (csp) plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.
... syntax one or more mime types can be set for the plugin-types policy: content-security-policy: plugin-types <type>/<subtype>; content-security-policy: plugin-types <type>/<subtype> <type>/<subtype>; <type>/<subtype> a valid mime type.
... <meta http-equiv="content-security-policy" content="object-src 'none'"> allowing flash content the content security policy content-security-policy: plugin-types application/x-shockwave-flash will allow to load flash objects: <object data="https://example.com/flash" type="application/x-shockwave-flash"></object> allowing java applets to load an <applet> you must specify application/x-java-applet: content-security-policy: plugin-types application/x-java-applet specifications specification status comment content security policy level 3th...
... content security policy level 2the definition of 'plugin-types' in that specification.

CSP: report-to - HTTP
the content-security-policy report-to http response header field instructs the user agent to store reporting endpoints for an origin.
... content-security-policy: ...; report-to groupname the directive has no effect in and of itself, but only gains meaning in combination with other directives.
... syntax content-security-policy: report-to <json-field-value>; examples see content-security-policy-report-only for more information and examples.
... report-to: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/csp-reports" } ] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/hpkp-reports" } ] } content-security-policy: ...; report-to csp-endpoint report-to: { "group": "endpoint-1", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/reports" }, { "url": "https://backup.com/reports" } ] } content-security-policy: ...; report-to endpoint-1 ...

CSP: upgrade-insecure-requests - HTTP
the http content-security-policy (csp) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure urls (those served over http) as though they have been replaced with secure urls (those served over https).
... the upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to https for the top-level navigation and thus does not replace the strict-transport-security (hsts) header, which should still be set with an appropriate max-age to ensure that users are not subject to ssl stripping attacks.
... syntax content-security-policy: upgrade-insecure-requests; examples // header content-security-policy: upgrade-insecure-requests; // meta tag <meta http-equiv="content-security-policy" content="upgrade-insecure-requests"> with the above header set on a domain example.com that wants to migrate from http to https, non-navigational insecure resource requests are automatically upgraded (first-party as well as third-party requests).
... <img src="https://example.com/image.png"> <img src="https://not-example.com/image.png"> navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded: <a href="https://example.com/">home</a> <a href="http://not-example.com/">home</a> finding insecure requests with the help of the content-security-policy-report-only header and the report-uri directive, you can set-up an enforced policy and a reported policy like this: content-security-policy: upgrade-insecure-requests; default-src https: content-security-policy-report-only: default-src https:; report-uri /endpoint that way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports ins...

CSP: worker-src - HTTP
the http content-security-policy (csp) worker-src directive specifies valid sources for worker, sharedworker, or serviceworker scripts.
... syntax one or more sources can be allowed for the worker-src policy: content-security-policy: worker-src <source>; content-security-policy: worker-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: worker-src https://example.com/ worker, sharedworker, serviceworker are blocked and won't load: <script> var blockedworker = new worker("data:application/javascript,..."); blockedworker = new sharedworker("https://not-example.com/"); navigator.serviceworker.register('https://not-example.com/sw.js'); </script> specifications specification status comment ...
... content security policy level 3the definition of 'worker-src' in that specification.

Referrer-Policy - HTTP
the origin, path, and querystring of the url are sent as a referrer when the protocol security level stays the same (http→http, https→https) or improves (http→https), but isn't sent to less secure destinations (https→http).
... strict-origin only send the origin of the document as the referrer when the protocol security level stays the same (https→https), but don't send it to a less secure destination (https→http).
... strict-origin-when-cross-origin send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (https→https), and send no header to any less-secure destinations (https→http).
... unsafe-url send the origin, path, and query string when performing any request, regardless of security.

HTTP headers - HTTP
security cross-origin-embedder-policy (coep) allows a server to declare an embedder policy for a given document.
... content-security-policy (csp) controls resources the user agent is allowed to load for a given page.
... content-security-policy-report-only allows web developers to experiment with policies by monitoring, but not enforcing, their effects.
... strict-transport-security (hsts) force communication using https instead of http.

HTTP resources and specifications - HTTP
proposed standard rfc 7239 forwarded http extension proposed standard rfc 6455 the websocket protocol proposed standard rfc 5246 the transport layer security (tls) protocol version 1.2 this specification has been modified by subsequent rfcs, but these modifications have no effect on the http protocol.
... proposed standard rfc 8446 the transport layer security (tls) protocol version 1.3 supersedes tls 1.2.
... proposed standard rfc 2817 upgrading to tls within http/1.1 proposed standard rfc 7540 hypertext transfer protocol version 2 (http/2) proposed standard rfc 7541 hpack: header compression for http/2 on the standard track rfc 7838 http alternative services on the standard track rfc 7301 transport layer security (tls) application-layer protocol negotiation extension used to negotiate http/2 at the transport to save an extra request/response round trip.
... cross-origin resource sharing living standard rfc 7034 http header field x-frame-options informational rfc 6797 http strict transport security (hsts) proposed standard upgrade insecure requests upgrade insecure requests candidate recommendation content security policy 1.0 content security policy 1.0 csp 1.1 and csp 3.0 doesn't extend the http standard obsolete microsoft document specifying legacy document modes* defines x-ua-compatible note rfc 5689 http extensions for web distributed authoring and versioning (webdav) these extensions of the web, a...

Common Pitfalls - Archive of obsolete content
how to do security checks for uri loads before loading a uri, one of two security checks needs to be performed: if the uri is a string that will be loaded via passing the string to nsiwebnavigation::loaduri, the one must call checkloaduristrwithprincipal and pass the principal that the uri originates from as the first argument and the uri string as the second argument.
...if there is no nsiuri object on hand, it is secure to call checkloaduristrwithprincipal, but this will perform a more stringent security check than is strictly necessary.
... what not to do all other security checks (including calls to checkloaduri and checkloaduristr) are incorrect, because they do not properly capture the originating principal.

Install Manifests - Archive of obsolete content
note: extensions compatible with firefox 3.5 should specify a maxversion of 3.5.*, so that they are automatically compatible with security and stability updates.
...</description> updatekey to ensure the security of update rdf data that is retrieved over plain http you must use a digital signature to verify the contents of the data.
... for security reasons, gecko 1.9 applications require that if you specify an updateurl, it must be an https url, or you must include an updatekey.

Chapter 4: Using XPCOM—Implementing advanced processes - Archive of obsolete content
listing 2: setting privileges netscape.security.privilegemanager.enableprivilege('universalxpconnect'); note: this is unneeded when the code is part of an extension, and will result in rejection if submitted to addons.mozilla.org.
...c:\users\username\appdata\roaming\mozilla\firefox\profiles\random number.default\ ; on windows xp or 2000, it will be c:\documents and settings\username\application data\mozilla\firefox\profiles\random number.default\ ; on linux, it will be ~/.mozilla/firefox/random number.default/ ; on mac os x, it will be ~/library/application support/firefox/profiles/random number.default/ in the interests of security, delete these lines from prefs.js after finishing these tests.
... listing 4: get active browser window netscape.security.privilegemanager .enableprivilege('universalxpconnect'); var windowmediator = components .classes['@mozilla.org/appshell/window-mediator;1'] .getservice(components.interfaces.nsiwindowmediator); var browser = windowmediator.getmostrecentwindow('navigator:browser'); alert(browser.gbrowser.mtabs.length); get overview of all windows with a certain type use the nsiwindowmediator.getenumer...

Connecting to Remote Content - Archive of obsolete content
json used to be risky in terms of security because the favored way of parsing it was to use the javascript eval function.
... since eval executes any code contained in the string, workarounds had to be devised in order to close security holes.
... note: security should be your number one priority when handling remote content.

MCD, Mission Control Desktop, AKA AutoConfig - Archive of obsolete content
[root@calaz firefox]# cat firefox.cfg //put everything in a try/catch try { //privacy & security defaultpref("signon.remembersignons", false); //proxy and cache, as it is on nfs volume, we don't want cache lockpref("browser.cache.disk.capacity", 0); lockpref("network.cookie.cookiebehavior", 0); defaultpref("network.proxy.autoconfig_url", "http://wpad.int-evry.fr/wpad.dat"); defaultpref("network.proxy.type", 2); lockpref("network.protocol-handler.app.mailto", "/usr/bin/thunderbird"); //fire...
... [root@b008-02 /usr/lib/firefox-1.5.0.2] $cat firefox.cfg //put everything in a try/catch try { //privacy & security defaultpref("signon.remembersignons", false); // 1) env variables if(getenv("user") != "") { // *nix settings var env_user = getenv("user"); var env_home = getenv("home"); } else { // windows settings var env_user = getenv("username"); var env_home = getenv("homepath"); } var env_mozdebug = getenv("mozilla_debug"); /* 2) define here (because if set after "3)" below it doesn't work!)...
...e_override", true); lockpref("startup.homepage_override_url", "http://www.int-evry.fr/s2ia/portail/"); //unlockpref("startup.homepage_override_url"); lockpref("browser.cache.disk.capacity", 100); lockpref("network.cookie.cookiebehavior", 0); //network preferences lockpref("network.proxy.autoconfig_url", "http://www.int-evry.fr/local/config.proxy"); lockpref("network.proxy.type", 2); //privacy & security defaultpref("signon.remembersignons", false); //account lockpref("mail.account.account1.identities", "id1"); lockpref("mail.account.account1.server", "server1"); lockpref("mail.account.account2.server", "server2"); lockpref("mail.account.account3.server", "server3"); lockpref("mail.accountmanager.accounts", "account1,account2,account3"); lockpref("mail.accountmanager.defaultaccount", "account1")...

Mozilla Application Framework in Detail - Archive of obsolete content
applications that want to access the various mozilla xpcom libraries (networking, security, dom, etc.) use a special layer of xpcom called xpconnect, which reflects the library interfaces into javascript (or other languages).
...file i/o, security, password management, and profiles are also separate xpcom components that you can use in your own application development.
...mozilla engineers have written and are in the process of refining a new security model for web services that will ease the deployment of applications using web services while maintaining the security of sites inside the user's firewall.

Plug-n-Hack Phase1 - Archive of obsolete content
plug-n-hack (pnh) phase 1 allows easier integration and defines how security tools can advertise their capabilities to browsers.
... security tool manifest to support pnh-1 security tools provide a manifest over http(s) which defines the capabilities that the browser can make use of.
...security tool commands manifest an example commands manifest (for owasp zap) is: https://code.google.com/p/zap-extensions/source/browse/branches/beta/src/org/zaproxy/zap/extension/plugnhack/resource/service.json firefox ui in firefox the tool commands will be made available via the developer toolbar (gcli) https://developer.mozilla.org/docs/tools/gcli a example of how the zap commands are currently displa...

iframe - Archive of obsolete content
this can be a serious security vulnerability, for example if you use src="http://...".
... when used in this case, please see displaying web content in an extension without security issues.
...don't use for content from web, as this may cause serious security problems!

Introduction to SSL - Archive of obsolete content
the ssl protocol ciphers used with ssl the ssl handshake the new internet engineering task force (ietf) standard protocol called transport layer security (tls) is based on ssl.
...although the fourth question is not technically part of the ssl protocol, it is the client's responsibility to support this requirement, which provides some assurance of the server's identity and thus helps protect against a form of security attack known as "man in the middle." an ssl-enabled client goes through these steps to authenticate a server's identity: is today's date within the validity period?
...although step 4 is not technically part of the ssl protocol, it provides the only protection against a form of security attack known as "man in the middle." clients must perform this step and must refuse to authenticate the server or establish a connection if the domain names don't match.

SSL and TLS - Archive of obsolete content
the secure sockets layer (ssl) and transport layer security (tls) protocols are universally accepted standards for authenticated and encrypted communication between clients and servers.
... note: longer rsa keys are required to provide security as computing capabilities increase.
... bits of security rsa key length ecc key length table 1: comparison of rsa and ecc cipher strength 80 1024 160-223 112 2048 224-255 128 3072 256-383 192 7860 384-511 256 15360 512+ the information in this table is from the national institute of standards and technology (nist).

Browser Detection and Cross Browser Support - Archive of obsolete content
this is due to the history of security exploits that have been discovered in older browsers.
...these methods should only be used in circumstances which can not be handled by using object feature detection such as when specific versions of gecko must be excluded for security reasons.
...if you are concerned about a specific security issue in gecko and know for example that all gecko browsers contain a fix for the issue after a certain date, you can check that the navigator.productsub value is after that date.

Obsolete: XPCOM-based scripting for NPAPI plugins - Archive of obsolete content
this class should also inherit from nsiclassinfo and implement its methods to be able to request all necessary privileges from the mozilla security manager (see example 2).
...scriptable instance class #include "nsitestplugin.h" #include "nsiclassinfo.h" // we must implement nsiclassinfo because it signals the // mozilla security manager to allow calls from javascript.
... // helper class to implement all necessary nsiclassinfo method stubs // and to set flags used by the security system class nsclassinfomixin : public nsiclassinfo { // these flags are used by the dom and security systems to signal that // javascript callers are allowed to call this object's scritable methods.

CSP - MDN Web Docs Glossary: Definitions of Web-related terms
a csp (content security policy) is used to detect and mitigate certain types of website related attacks like xss and data injections.
... the implementation is based on an http header called content-security-policy.
... learn more general knowledge content security policy on wikipedia technical knowledge content security policy documentation on mdn ...

HSTS - MDN Web Docs Glossary: Definitions of Web-related terms
http strict transport security lets a web site inform the browser that it should never load the site using http and should automatically convert all attempts to access the site using http to https requests instead.
... it consists in one http header, strict-transport-security, sent by the server with the resource.
... learn more strict-transport-security owasp article: http strict transport security wikipedia: http strict transport security ...

MDN Web Docs Glossary: Definitions of Web-related terms
developer tools dhtml digest digital certificate distributed denial of service dmz dns doctype document directive document environment dom (document object model) domain domain name domain sharding dominator dos attack dtls (datagram transport layer security) dtmf (dual-tone multi-frequency signaling) dynamic programming language dynamic typing e ecma ecmascript effective connection type element empty element encapsulation encryption endianness engine entity entity header event exception ...
... sdp search engine second-level domain secure sockets layer (ssl) selector (css) self-executing anonymous function semantics seo serialization server server timing session hijacking sgml shadow tree shim signature signature (functions) signature (security) simd simple header simple response header sisd site site map sld sloppy mode slug smoke test smpte (society of motion picture and television engineers) smtp snap positions soap spa (single-page application) specification speculative parsing ...
... synchronous syntax syntax error synthetic monitoring t tag tcp tcp handshake tcp slow start telnet texel thread three js time to first byte time to interactive tld tofu transmission control protocol (tcp) transport layer security (tls) tree shaking trident truthy ttl turn type type coercion type conversion u udp (user datagram protocol) ui undefined unicode uri url urn usenet user agent utf-8 ux v validator ...

The HTML5 input types - Learn web development
but it should not be considered an exhaustive security measure!
... your apps should always perform security checks on any form-submitted data on the server-side as well as the client-side, because client-side validation is too easy to turn off, so malicious users can still easily send bad data through to your server.
... read website security for an idea of what could happen; implementing server-side validation is somewhat beyond the scope of this module, but you should bear it in mind.

Introduction to web APIs - Learn web development
they have additional security mechanisms where appropriate webapi features are subject to the same security considerations as javascript and other web technologies (for example same-origin policy), but they sometimes have additional security mechanisms in place.
...as an example, the notifications api asks for permission using a pop-up dialogue box: the web audio and htmlmediaelement apis are subject to a security mechanism called autoplay policy — this basically means that you can't automatically play audio when a page loads — you've got to allow your users to initiate audio play through a control like a button.
... note: depending on how strict the browser is, such security mechanisms might even stop the example from working locally, i.e.

Server-side website programming first steps - Learn web development
finally, we provide a high-level introductory article about web server security.
... website security website security requires vigilance in all aspects of website design and usage.
... this introductory article won't make you a website security guru, but it will help you understand the first important steps you can take to protect your web application against the most common threats.

Error codes returned by Mozilla APIs
ns_error_dom_invalid_expression_err (0x805b0033) ns_error_dom_type_err (0x805b0034) ns_error_dom_security_err (0x805303e8) ns_error_dom_secman_err (0x805303e9) ns_error_dom_wrong_type_err (0x805303ea) ns_error_dom_not_object_err (0x805303eb) ns_error_dom_not_xpc_object_err (0x805303ec) ns_error_dom_not_number_err (0x805303ed) ns_error_dom_not_boolean_err (0x805303ee) ns_error_dom_not_function_err (0x805303ef) ns_error_dom_too_few_parameters_err (0x805303f0) ns_erro...
...r_xpc_javascript_error (0x80570020) ns_error_xpc_javascript_error_with_details (0x80570021) ns_error_xpc_cant_convert_primitive_to_array (0x80570022) ns_error_xpc_cant_convert_object_to_array (0x80570023) ns_error_xpc_not_enough_elements_in_array (0x80570024) ns_error_xpc_cant_get_array_info (0x80570025) ns_error_xpc_not_enough_chars_in_string (0x80570026) ns_error_xpc_security_manager_veto (0x80570027) ns_error_xpc_interface_not_scriptable (0x80570028) ns_error_xpc_interface_not_from_nsisupports (0x80570029) ns_error_xpc_cant_get_jsobject_of_dom_object (0x8057002a) ns_error_xpc_cant_set_read_only_constant (0x8057002b) ns_error_xpc_cant_set_read_only_attribute (0x8057002c) ns_error_xpc_cant_set_read_only_method (0x8057002d) ns_error_xpc_cant_...
...0001) ns_error_schemavalidator_no_dom_node_specified (0x80640002) ns_error_schemavalidator_no_type_found (0x80640003) ns_error_schemavalidator_type_not_found (0x80640004) note: there are other errors in these files: gfx/public/nsidevicecontext.h base/public/nsneterror.h parser/htmlparser/public/nsiparser.h layout/base/nslayouterrors.h profile/public/nsiprofileinternal.idl security/manager/ssl/public/nsicmsmessageerrors.idl directory/xpcom/base/public/nsildaperrors.idl content/base/public/nscontenterrors.h see also mozilla error lookup lets you quickly look up the error name by its code in different formats.

Midas
see: more about security preferences note: the shortcut key will automatically trigger this command (typically accel-c) with or without the signed js or any code on the page to handle it.
...see: more about security preferences note: the shortcut key will automatically trigger this command (typically accel-x) with or without the signed js or any code on the page to handle it.
...user_pref("capability.policy.policynames", "allowclipboard"); user_pref("capability.policy.allowclipboard.clipboard.paste", "allaccess"); see: more about security preferences note: the shortcut key will automatically trigger this command (typically accel-v) with or without the signed js or any code on the page to handle it.

Named Shared Memory
security considerations on unix platforms, depending on implementation, contents of the backing store for the shared memory can be exposed via the file system.
... set permissions and or access controls at create and attach time to ensure you get the desired security.
... on windows platforms, no special security measures are provided.

An overview of NSS Internals
a high-level overview to the internals of network security services (nss) software developed by the mozilla.org projects traditionally used its own implementation of security protocols and cryptographic algorithms, originally called netscape security services, nowadays called network security services (nss).
...the intention is to make it easier to review code for security.
...nss has an ssl/tls module that implements the secure sockets layer/transport layer security network protocols, an s/mime module that implements cms messaging used by secure email and some instant messaging implementations, a dbm library that implements the classic database storage, and finally a core nss library for the big set of “everything else”.

Getting Started With NSS
how to get involved with nss network security services (nss) is a base library for cryptographic algorithms and secure network protocols used by mozilla software.
... would you like to get involved and help us to improve the core security of mozilla firefox and other applications that make use of nss?
...you can find them in subdirectory mozilla/security/nss/cmd or have a look at some basic nss sample code.

Build instructions for JSS 4.3.x
build instructions for jss 4.3.x newsgroup: mozilla.dev.tech.crypto before building jss, you need to set up your system as follows: build nspr/nss by following the nspr/nss build instructions, to check that nss built correctly, run all.sh (in mozilla/security/nss/tests) and examine the results (in mozilla/test_results/security/computername.#/results.html.
... cvs co -r jss_4_3_1_rtm mozilla/security/jss or cvs co -r jss_4_3_rtm mozilla/security/jss setup environment variables needed for compiling java source.
... cd mozilla/security/jss gmake sign the jss jar.

Using JSS
re library name description binary release location nspr4 nspr os abstraction layer http://ftp.mozilla.org/pub/mozilla.org/nspr/releases plc4 nspr standard c library replacement functions plds4 nspr data structure types nss3 nss crypto, pkcs #11, and utilities http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases ssl3 nss ssl library smime3 nss s/mime functions and types nssckbi pkcs #11 module containing built-in root ca certificates.
...if you are downloading binaries, get it from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/.
... if you are downloading binaries, get jss42.jar from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/.

JSS 4.4.0 Release Notes
introduction the java security services (jss) team has released jss 4.4.0, which is a minor release.
...jss 4.4.0 requires netswork security services (nss) 3.29.1 and netscape portable runtime (nspr) 4.13.1 or newer.
... jss 4.4.0 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/jss_4_4_0_rtm/src/ new in jss 4.40 new functionality new functions new macros notable changes in jss 4.40 picks up work done downstream for fedora and rhel and used by various linux distributions with includes:.

NSS_3.11.10_release_notes.html
nss 3.11.10 release notes 2008-12-10 newsgroup: <ahref="news: mozilla.dev.tech.crypto"="" news.mozilla.org="">mozilla.dev.tech.crypto</ahref="news:> contents introduction distribution information bugs fixed documentation compatibility feedback introduction network security services (nss) 3.11.10 is a patch release for nss 3.11.
...nss 3.11.10 source and binary distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_11_10_rtm/src/.
... binary distributions: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_11_10_rtm/.

NSS_3.12.1_release_notes.html
nss 3.12.1 release notes 2008-09-05 newsgroup: mozilla.dev.tech.crypto contents introduction distribution information new in nss 3.12.1 bugs fixed documentation compatibility feedback introduction network security services (nss) 3.12.1 is a patch release for nss 3.12.
...nss 3.12.1 source and binary distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_1_rtm/src/.
... binary distributions: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_1_rtm/.

NSS 3.12.4 release notes
<center> 2009-08-20 </center> <center>newsgroup: mozilla.dev.tech.crypto</center> introduction network security services (nss) 3.12.4 is a patch release for nss 3.12.
...nss 3.12.4 source is also available on ftp.mozilla.org for secure https download: source tarball: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_4_rtm/src/.
...whenever value exceeds 384 bytes bug 487736: libpkix passes wrong argument to der_decodetimechoice and crashes bug 487858: remove obsolete build options mozilla_security_build and mozilla_bsafe_build bug 487884: object leak in libpkix library upon error bug 488067: pk11_importcrl reports sec_error_crl_not_found when it fails to import a crl bug 488350: nspr-free freebl interface need to do post tests only in fips mode.

NSS 3.12.5 release_notes
nss 3.12.5 release notes 2009-12-02 newsgroup: mozilla.dev.tech.crypto introduction network security services (nss) 3.12.5 is a patch release for nss 3.12.
... nss 3.12.5 source is also available on ftp.mozilla.org for secure https download: source tarball: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_5_rtm/src/.
... new in nss 3.12.5 ssl3 & tls renegotiation vulnerability see cve-2009-3555 and us-cert vu#120541 for more information about this security vulnerability.

NSS 3.14.2 release notes
network security services (nss) 3.14.2 is a patch release for nss 3.14.
...the release is available for download from https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_14_2_rtm/src/ for the primary nss documentation pages please visit /docs/nss new in nss 3.14.2 nss will now make use of the intel aes-ni and avx instruction sets for hardware-accelerated aes-gcm on 64-bit linux systems.
... bug 816853 - when using libpkix for certificate validation, applications may now supply additional application-defined trust anchors to be used in addition to those from loaded security tokens, rather than as an alternative to.

NSS 3.16.2.1 release notes
introduction network security services (nss) 3.16.2.1 is a patch release for nss 3.16, based on the nss 3.16.2 release.
... nss 3.16.2.1 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_2_1_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.16.2.1.
... bugs fixed in nss 3.16.2.1 bug 1064636 - (cve-2014-1568) rsa signature forgery in nss acknowledgements the nss development team would like to thank antoine delignat-lavaud, security researcher at inria paris in team prosecco, and the advanced threat research team at intel security, who both independently discovered and reported this issue, for responsibly disclosing the issue by providing advance copies of their research.

NSS 3.16.4 release notes
introduction network security services (nss) 3.16.4 is a patch release for nss 3.16.
...nss 3.16.4 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_4_rtm/src/ new in nss 3.16.4 this release consists primarily of ca certificate changes as listed below, and includes a small number of bug fixes.
...it was removed in nss 3.16.3, but discussion in the mozilla.dev.security.policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers.

NSS 3.16.5 release notes
introduction network security services (nss) 3.16.5 is a patch release for nss 3.16.
... nss 3.16.5 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_5_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.16.5.
... bugs fixed in nss 3.16.5 bug 1064636 - (cve-2014-1568) rsa signature forgery in nss acknowledgements the nss development team would like to thank antoine delignat-lavaud, security researcher at inria paris in team prosecco, and the advanced threat research team at intel security, who both independently discovered and reported this issue, for responsibly disclosing the issue by providing advance copies of their research.

NSS 3.17.1 release notes
introduction network security services (nss) 3.17.1 is a patch release for nss 3.17.
... nss 3.17.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_17_1_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.17.1.
... bugs fixed in nss 3.17.1 this bugzilla query returns all the bugs fixed in nss 3.17.1: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advanced&product=nss&target_milestone=3.17.1 acknowledgements the nss development team would like to thank antoine delignat-lavaud, security researcher at inria paris in team prosecco, and the advanced threat research team at intel security, who both independently discovered and reported this issue, for responsibly disclosing the issue by providing advance copies of their research.

NSS 3.18.1 release notes
introduction network security services (nss) 3.18.1 is a patch release for nss 3.18.
... nss 3.18.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_18_1_rtm/src/ new in nss 3.18.1 no new functionality is introduced in this release.
... ou = equifax secure certificate authority sha1 fingerprint: d2:32:09:ad:23:d3:14:23:21:74:e4:0d:7f:9d:62:13:97:86:63:3a the following ca certificate was removed after discussion about it in the mozilla.dev.security.policy forum.

NSS 3.19.2.2 release notes
introduction network security services (nss) 3.19.2.2 is a security patch release for nss 3.19.2.
... the bug fixes in nss 3.19.2.2 are described in the "security fixes" section below.
... nss 3.19.2.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_2_2_rtm/src/ security fixes in nss 3.19.2.2 bug 1158489 / cve-2015-7575 - prevent md5 downgrade in tls 1.2 signatures.

NSS 3.19.2 release notes
introduction network security services (nss) 3.19.2 is a patch release for nss 3.19 that addresses compatibility issues in nss 3.19.1.
... nss 3.19.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_2_rtm/src/ new in nss 3.19.2 new functionality no new functionality is introduced in this release.
...this was done as part of a security fix for bug 1138554 / cve-2015-4000.

NSS 3.20.2 release notes
introduction network security services (nss) 3.20.2 is a security patch release for nss 3.20.
... the bug fixes in nss 3.20.2 are described in the "security fixes" section below.
... nss 3.20.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_20_2_rtm/src/ security fixes in nss 3.20.2 bug 1158489 / cve-2015-7575 - prevent md5 downgrade in tls 1.2 signatures.

NSS 3.21 release notes
the sections "security fixes" and "acknowledgements" have been added.
... introduction the nss team has released network security services (nss) 3.21, which is a minor release.
... nss 3.21 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_21_rtm/src/ security fixes in nss 3.21 bug 1158489 / cve-2015-7575 - prevent md5 downgrade in tls 1.2 signatures.

NSS 3.28.1 release notes
introduction network security services (nss) 3.28.1 is a patch release for nss 3.28.
... nss 3.28.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_28_1_rtm/src/ new in nss 3.28.1 no new functionality is introduced in this release.
... the following ca certificates were removed cn = buypass class 2 ca 1 sha-256 fingerprint: 0f:4e:9c:dd:26:4b:02:55:50:d1:70:80:63:40:21:4f:e9:44:34:c9:b0:2f:69:7e:c7:10:fc:5f:ea:fb:5e:38 cn = root ca generalitat valenciana sha-256 fingerprint: 8c:4e:df:d0:43:48:f3:22:96:9e:7e:29:a4:cd:4d:ca:00:46:55:06:1c:16:e1:b0:76:42:2e:f3:42:ad:63:0e ou = rsa security 2048 v3 sha-256 fingerprint: af:8b:67:62:a1:e5:28:22:81:61:a9:5d:5c:55:9e:e2:66:27:8f:75:d7:9e:83:01:89:a5:03:50:6a:bd:6b:4c the following ca certificates were added ou = ac raiz fnmt-rcm sha-256 fingerprint: eb:c5:57:0c:29:01:8c:4d:67:b1:aa:12:7b:af:12:f7:03:b4:61:1e:bc:17:b7:da:b5:57:38:94:17:9b:93:fa cn = amazon root ca 1 sha-256 f...

NSS 3.38 release notes
introduction the nss team has released network security services (nss) 3.38, which is a minor release.
... nss 3.38 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_38_rtm/src/ new in nss 3.38 new functionality added support for the tls record size limit extension.
... various security fixes in the asn.1 code.

NSS 3.46 release notes
introduction the nss team has released network security services (nss) 3.46 on 30 august 2019, which is a minor release.
... nss 3.46 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_46_rtm/src/ other releases are available in nss releases.
... new in nss 3.46 this release contains no significant new functionality, but concentrates on providing improved performance, stability, and security.

NSS 3.49 release notes
introduction the nss team has released network security services (nss) 3.49 on 3 january 2020, which is a minor release.
... nss 3.49 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_49_rtm/src/ other releases are available in nss releases.
...85189 - nss database uses 3des instead of aes to encrypt db entries bug 1603257 - fix ubsan issue in softoken ckm_nss_chacha20_ctr initialization bug 1590001 - additional hrr tests (cve-2019-17023) bug 1600144 - treat clienthello with message_seq of 1 as a second clienthello bug 1603027 - test that esni is regenerated after helloretryrequest bug 1593167 - intermittent mis-reporting potential security risk sec_error_unknown_issuer bug 1535787 - fix automation/release/nss-release-helper.py on macos bug 1594933 - disable building dbm by default bug 1562548 - improve gcm perfomance on aarch32 this bugzilla query returns all the bugs fixed in nss 3.49: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advanced&product=nss&target_milestone=3.49 ...

NSS 3.51 release notes
introduction the nss team has released network security services (nss) 3.51 on 6 march 2020, which is a minor release.
... nss 3.51 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_51_rtm/src/ other releases are available in nss releases.
... bug 1538980 - secu_readderfromfile calls strstr on a string that isn't guaranteed to be null-terminated bug 1561337 - correct a warning for comparison of integers of different signs: 'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88 bug 1609751 - add test for mp_int clamping bug 1582169 - don't attempt to read the fips_enabled flag on the machine unless nss was built with fips enabled bug 1431940 - fix a null pointer dereference in blake2b_update bug 1617387 - fix compiler warning in secsign.c bug 1618400 - fix a openbsd/arm64 compilation error: unused variable 'getauxval' bug 1610687 ...

NSS 3.53 release notes
introduction the nss team released network security services (nss) 3.53 on 29 may 2020.
... nss 3.53 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_53_rtm/src/ other releases are available in nss releases.
...vsx vector instructions bug 1639033 - fix various compile warnings in nss bug 1640041 - fix a null pointer in security/nss/lib/ssl/sslencode.c:67 bug 1640042 - fix a null pointer in security/nss/lib/ssl/sslsock.c:4460 bug 1638289 - avoid multiple definitions of sha{256,384,512}_* symbols when linking libfreeblpriv3.so in firefox on ppc64le bug 1636389 - relocate deprecated seed algorithm bug 1637083 - lib/ckfw: no such file or directory.

NSS 3.55 release notes
introduction the nss team has released network security services (nss) 3.55 on 24 july 2020, which is a minor release.
... nss 3.55 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_55_rtm/src/ other releases are available in nss releases.
...special thanks to the network and information security group (nisec) at tampere university.

Utilities for nss samples
these utility functions are adapted from those found in the sectool library used by the nss security tools and other nss test applications.
...*/ #ifndef _util_h #define _util_h #include <prlog.h> #include <termios.h> #include <base64.h> #include <unistd.h> #include <sys/stat.h> #include "util.h" #include <prprf.h> #include <prerror.h> #include <nss.h> #include <pk11func.h> /* * these utility functions are adapted from those found in * the sectool library used by the nss security tools and * other nss test applications.
...*/ #include "util.h" /* * these utility functions are adapted from those found in * the sectool library used by the nss security tools and * other nss test applications.

NSS release notes template
draft (remove line when document is finished) introduction the nss team has released network security services (nss) 3.xx, which is a minor release.
... or network security services (nss) 3.xx.y is a patch release for nss 3.xx.
...nss 3.xx source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_xx_rtm/src/ (make a link) new in nss 3.xx new functionality either: no new functionality is introduced in this release.

Notes on TLS - SSL 3.0 Intolerant Servers
you can also avoid such a problem by editing an existing profile -- check the preference option setting at: edit | preferences | privacy and security | ssl | enable tls, and turn it off if it is on for these earlier browsers.
... post a note on your site instructing users of old versions of browsers like netscape 6.0/6.01/6.1 preview release 1 and mozilla 0.9.1 and earlier to turn off the tls option at: edit | preferences | privacy and security | ssl | enable tls.
... when you find a secure site which simply does not display any page content or drops the connection, check to see if the preference option edit | preferences | privacy and security | ssl | enable tls is turned on.

PKCS11 FAQ
what are "generic crypto svcs" (the first item listed when you click the view/edit button for the nss internal pkcs #11 module under security devices under options/security in firefox)?
...first open the tools/options/advanced/security window in mozilla and click security devices.
...mozilla, thunderbird, and netscape products that use nss have different ui to get the the security devices dialog.

Migration to HG
likewise for nss and jss, "mozilla/security" has been removed and files now live at the top level.
... in addition for nss, we have merged the contents of directories mozilla/dbm and mozilla/security/dbm into the new directory lib/dbm.
...to checkout the source code and build both nspr and nss: mkdir workarea cd workarea hg clone https://hg.mozilla.org/projects/nspr hg clone https://hg.mozilla.org/projects/nss cd nss # set use_64=1 on 64 bit architectures # set build_opt=1 to get an optimized build make nss_build_all note that the jss project has been given a private copy of the former mozilla/security/coreconf directory, allowing it to remain stable, and only update its build system as necessary.

NSS tools : cmsutil
." sign message example cmsutil -s [-i infile] [-o outfile] [-d dbdir] [-p password] -n nickname[-tgp] [-y ekprefnick] see also certutil(1) see also additional resources nss is maintained in conjunction with pki and security-related projects through mozilla dn fedora.
...for information specifically about nss, the nss project wiki is located at [2]http://www.mozilla.org/projects/security/pki/nss/.
...http://www.mozilla.org/projects/security/pki/nss/ ...

NSS_3.12.3_release_notes.html
nss 3.12.3 release notes 2009-04-01 newsgroup: mozilla.dev.tech.crypto contents introduction distribution information new in nss 3.12.3 bugs fixed documentation compatibility feedback introduction network security services (nss) 3.12.3 is a patch release for nss 3.12.
...nss 3.12.3 source and binary distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_3_rtm/src/.
... binary distributions: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_3_rtm/.

NSS Tools crlutil
using the certificate revocation list management tool newsgroup: mozilla.dev.tech.crypto the certificate revocation list (crl) management tool is a command-line utility that can list, generate, modify, or delete crls within the nss security database file(s) and list, create, modify or delete certificates entries in a particular crl.
...for information on security module database management, see using the security module database tool.
... -p dbprefix specify the prefix used on the nss security database files (for example, my_cert8.db and my_key3.db).

NSS tools : cmsutil
." sign message example cmsutil -s [-i infile] [-o outfile] [-d dbdir] [-p password] -n nickname[-tgp] [-y ekprefnick] see also certutil(1) see also additional resources nss is maintained in conjunction with pki and security-related projects through mozilla dn fedora.
... for information specifically about nss, the nss project wiki is located at [2]http://www.mozilla.org/projects/security/pki/nss/.
...http://www.mozilla.org/projects/security/pki/nss/ ...

JS_EvaluateScriptForPrincipals
compile and execute a security-enabled script.
... principals jsprincipals * pointer to the structure holding the security information for this script.
... principals is a pointer to the jsprincipals structure that contains the security information to associate with this script.

JSAPI reference
lags added in spidermonkey 17 js_getregexpsource added in spidermonkey 17 js_executeregexp js_executeregexpnostatics js_clearregexproots obsolete since javascript 1.8.5 serialization struct jsstructuredclonecallbacks js_setstructuredclonecallbacks js_readstructuredclone js_writestructuredclone js_structuredclone js_readuint32pair js_readbytes js_writeuint32pair js_writebytes security struct jsprincipals js_setobjectprincipalsfinder obsolete since javascript 1.8 js_setprincipalstranscoder obsolete since javascript 1.8 enum jsaccessmode obsolete since jsapi 29 js_checkaccess obsolete since jsapi 29 jsobjectops.checkaccess obsolete since javascript 1.8 jsclass.checkaccess obsolete since jsapi 29 js_setcheckobjectaccesscallback obsolete since javascript 1.8 added i...
...n spidermonkey 1.8.1 security callbacks are set per-runtime.
... jssecuritycallbacks js_getsecuritycallbacks added in spidermonkey 13 js_setsecuritycallbacks added in spidermonkey 13 js_setcontextsecuritycallbacks obsolete since jsapi 13 js_getruntimesecuritycallbacks obsolete since jsapi 13 js_setruntimesecuritycallbacks obsolete since jsapi 13 threading the following functions support the spidermonkey threading model.

SpiderMonkey 1.8
the security apis js_setcheckobjectaccesscallback, js_setprincipalstranscoder, and js_setobjectprincipalsfinder are still present but are deprecated in this release.
... in spidermonkey 1.8.1 they will be removed and replaced with a new set of apis (js_getsecuritycallbacks and friends, bug 451729).
...jsfastnative can be significantly faster, but applications that use spidermonkey's fine-grained security features should heed the warning in its api documentation.

Zest
overview zest is an experimental specialized scripting language (also known as a domain-specific language) developed by the mozilla security team and is intended to be used in web oriented security tools.
... anyone can contribute to the onward development of zest, and teams or individuals who develop security tools are especially welcome to join and help shape zest's future.
... zest topics usecases reporting security vulnerabilities to developers reporting security vulnerabilities to companies defining active and passive scanner rules deep integration with security tools runtimes the runtime environments that support zest tools the tools that include support zest implementation the state of zest development videos simon demoed zest at appsec usa in november 2013, and the full video of my talk is available on youtube.

Exploitable crashes
perhaps you lack necessary bugzilla privileges) please email security@mozilla.org.
... mark the bug as security-sensitive by putting it into the "security-sensitive core bug" group.
... put a security severity rating in the bug's keywords.

Secure Development Guidelines
the following content will likely see significant revision, though can be used as a reference for security best practices to follow when developing code for mozilla.
... introduction provide developers with information on specific security issues cover common coding mistakes and how they affect a product how to avoid making them how to mitigate them everything is oriented toward c/c++ introduction: gaining control specifics about the underlying architecture, using x86 as an example 6 basic registers (eax, ebx, ecx, edx, edi, esi) 2 stack-related registers (esp, ebp) mark top and bottom of current stack frame status register (eflags) contains various state information instruction pointer (eip) points to register being executed; can’t be modified directly introduction: gaining control (2) eip is modified using call or jump instructions attacks usually rely on obtaining control over the eip otherwise the at...
...this can lead to security bugs.

Places utilities for JavaScript
rray object getannotationsforuri(nsiuri auri); array object getannotationsforitem(int aitemid); void setannotationsforuri(nsiuri auri, object aannos); void setannotationsforuri(int aitemid, object aannos); getviewfornode(nsidomnode anode); void markpageastyped(string aurl); void markpageasfollowedbookmark(string aurl); boolean checkurlsecurity(nsinavhistoryresultnode aurinode); string getquerystringforfolder(int afolderid); string getdescriptionfromdocument(nsidomdocument doc); string setpostdataforbookmark(int aboomarkid, string apostdata); string getpostdataforbookmark(int aboomarkid); array string geturlandpostdataforkeyword(string akeyword); string getitemdescription(int aitemid...
... markpageasfollowedbookmark(string aurl) checkurlsecurity() allows opening of javascript/data uri only if the given node is bookmarked (see bug 224521).
... checkurlsecurity(aurinode) parameters aurinode a uri node return type return true if it's safe to open the node in the browser, false otherwise.

Components.utils.Sandbox
principal the security principal defined for a sandbox determines what code running in that sandbox will be allowed to do.
... see security checks for more information on security principals.
...}; complex objects can be cloned into the sandbox using components.utils.cloneinto: mysandbox.someobject = components.utils.cloneinto({ a: 'string', b: 21 }, mysandbox); obviously you need to consider the security implications of the functions you import.

nsICryptoHash
the values map directly onto the values defined in mozilla/security/nss/lib/cryptohi/hasht.h.
... f = components.classes["@mozilla.org/file/local;1"] .createinstance(components.interfaces.nsilocalfile); f.initwithpath(path); var istream = components.classes["@mozilla.org/network/file-input-stream;1"] .createinstance(components.interfaces.nsifileinputstream); // open for reading istream.init(f, 0x01, 0444, 0); var ch = components.classes["@mozilla.org/security/hash;1"] .createinstance(components.interfaces.nsicryptohash); // we want to use the sha256 algorithm ch.init(ch.sha256); // this tells updatefromstream to read the entire file const pr_uint32_max = 0xffffffff; ch.updatefromstream(istream, pr_uint32_max); // pass false here to get binary data back var hash = ch.finish(false); // return the two-digit hexadecimal code for a byte...
...converter.charset = "utf-8"; // result is an out parameter, // result.value will contain the array length var result = {}; // data is an array of bytes var data = converter.converttobytearray(str, result); var ch = components.classes["@mozilla.org/security/hash;1"] .createinstance(components.interfaces.nsicryptohash); ch.init(ch.sha256); ch.update(data, data.length); var hash = ch.finish(false); // return the two-digit hexadecimal code for a byte function tohexstring(charcode) { return ("0" + charcode.tostring(16)).slice(-2); } // convert the binary hash data to a hex string.

nsISocketTransport
securitycallbacks nsiinterfacerequestor security notification callbacks passed to the secure socket provider via nsisslsocketcontrol at socket creation time.
... securityinfo nsisupports security info object returned from the secure socket provider.
... this object supports nsisslsocketcontrol, nsitransportsecurityinfo, and possibly other interfaces.

nsIUpdate
issecurityupdate boolean true if the update is a security update.
... if the update is a security update, a more seriously-worded user interface message is used to present the update to the user.
..."minor" a minor update, such as a security update.

XPCOM Interface Reference
oardhelpernsiclipboardownernsicollectionnsicommandcontrollernsicommandlinensicommandlinehandlernsicommandlinerunnernsicomponentmanagernsicomponentregistrarnsicompositionstringsynthesizernsiconsolelistenernsiconsolemessagensiconsoleservicensicontainerboxobjectnsicontentframemessagemanagernsicontentprefnsicontentprefcallback2nsicontentprefobservernsicontentprefservicensicontentprefservice2nsicontentsecuritypolicynsicontentsniffernsicontentviewnsicontentviewmanagernsicontentviewernsicontrollernsicontrollersnsiconverterinputstreamnsiconverteroutputstreamnsicookiensicookie2nsicookieacceptdialognsicookieconsentnsicookiemanagernsicookiemanager2nsicookiepermissionnsicookiepromptservicensicookieservicensicookiestoragensicrashreporternsicryptohmacnsicryptohashnsicurrentcharsetlistenernsicyclecollectorlisten...
...scriptionnsiradiointerfacelayernsirandomgeneratornsirequestnsirequestobservernsiresumablechannelnsirunnablensishentrynsishistorynsishistorylistenernsisockssocketinfonsisslerrorlistenernsisslsocketcontrolnsiscreennsiscreenmanagernsiscripterrornsiscripterror2nsiscriptableionsiscriptableinputstreamnsiscriptableunescapehtmlnsiscriptableunicodeconverternsiscrollablensisearchenginensisearchsubmissionnsisecuritycheckedcomponentnsiseekablestreamnsiselectionnsiselection2nsiselection3nsiselectioncontrollernsiselectionimageservicensiselectionprivatensiserversocketnsiserversocketlistenernsiservicemanagernsisessionstartupnsisessionstorensisimpleenumeratornsismsdatabaseservicensismsrequestmanagernsismsservicensisocketprovidernsisocketproviderservicensisockettransportnsisockettransportservicensisoundnsispeculati...
...extinputprocessorcallbacknsitextinputprocessornotificationnsithreadnsithreadeventfilternsithreadinternalnsithreadmanagernsithreadobservernsithreadpoolnsithreadpoollistenernsitimernsitimercallbacknsitoolkitnsitoolkitprofilensitoolkitprofileservicensitraceablechannelnsitransactionnsitransactionlistnsitransactionlistenernsitransactionmanagernsitransferablensitransportnsitransporteventsinknsitransportsecurityinfonsitreeboxobjectnsitreecolumnnsitreecolumnsnsitreecontentviewnsitreeselectionnsitreeviewnsiurinsiurifixupnsiurifixupinfonsiurlnsiurlformatternsiurlparsernsiutf8converterservicensiutf8stringenumeratornsiuuidgeneratornsiupdatensiupdatechecklistenernsiupdatecheckernsiupdateitemnsiupdatemanagernsiupdatepatchnsiupdatepromptnsiupdatetimermanagernsiuploadchannelnsiuploadchannel2nsiurllistmanagercallb...

Setting HTTP request headers
throw components.results.ns_error_no_interface; return this; }, createinstance: function (outer, iid) { log("----------------------------> createinstance"); return new myhttplistener(); } }, canunload: function(compmgr) { return true; } }; function nsgetmodule(compmgr, filespec) { return mymodule; } privacy and security good practice a use case for setting specific a http request header is to have a specific web site be able to check if a specific plugin / addon / extension is installed.
...by not advertising to all sites what extensions are installed this improves both privacy (this makes it harder to track a user known by his set of plugins, addons and extensions) and security (some plugins, addons and extensions may be known to have flaws by attackers).
... with this privacy and security addition the code to use becomes: observe: function(subject, topic, data) { if (topic == "http-on-modify-request") { var httpchannel = subject.queryinterface(ci.nsihttpchannel); if (/site.net/.test(httpchannel.originaluri.host)) { httpchannel.setrequestheader("x-hello", "world", false); } } }, ...

Blocking By Domain - Plugins
plugins such as flash are a performance and security problem for firefox users.
...these blocks improve firefox security and performance and also make the click-to-activate feature more valuable to users by reducing unnecessary prompts.
... criteria in order to improve firefox security and performance, there are two major categories of sites mozilla may choose to add to plugin domain blocking: sites commonly embedded in a 3rd-party context web sites which are commonly embedded into other sites using iframes can have a large impact on browser security and also cause many sites to show plugin activation prompts.

Plugin Roadmap for Firefox - Plugins
plugins are a security and performance problem for firefox users.
... in order to improve security and performance, mozilla will maintain a list of sites which cannot use any plugins.
...adobe will stop shipping security updates for flash at the end of 2020.

BasicCardResponse - Web APIs
basiccardresponse.cardsecuritycode read only secure context optional contains the security code of the card used to make the payment.
...dick straw", "cardsecuritycode" : "999", "expirymonth" : "07", "expiryyear" : "2021", "billingaddress" : { "country" : "gb", // etc.
... samsung internet android full support 7.0cardsecuritycodechrome no support noedge no support ≤18 — 79firefox full support 56notes disabled full support 56notes disabled notes available only in nightly builds.disabled from version 56: this feature is behind the dom.payments.request.enabl...

HTMLIFrameElement.csp - Web APIs
the csp property of the htmliframeelement interface specifies the content security policy that an embedded document must agree to enforce upon itself.
... syntax var csp = htmliframeelement.csp htmliframeelement.csp = csp value a content security policy.
... specifications specification status comment content security policy: embedded enforcementthe definition of 'csp' in that specification.

HTMLIFrameElement.referrerPolicy - Web APIs
the url is sent as a referrer when the protocol security level stays the same (http→http, https→https), but isn't sent to a less secure destination (https→http).
... strict-origin only send the origin of the document as the referrer when the protocol security level stays the same (https→https), but don't send it to a less secure destination (https→http).
... strict-origin-when-cross-origin send a full url when performing a same-origin request, only send the origin when the protocol security level stays the same (https→https), and send no header to a less secure destination (https→http).

HTMLScriptElement.referrerPolicy - Web APIs
the url is sent as a referrer when the protocol security level stays the same (e.g.http→http, https→https), but isn't sent to a less secure destination (e.g.
... strict-origin only send the origin of the document as the referrer when the protocol security level stays the same (e.g.
... strict-origin-when-cross-origin send a full url when performing a same-origin request, only send the origin when the protocol security level stays the same (e.g.

Using IndexedDB - Web APIs
const customerdata = [ { ssn: "444-44-4444", name: "bill", age: 35, email: "bill@company.com" }, { ssn: "555-55-5555", name: "donna", age: 32, email: "donna@home.org" } ]; of course, you wouldn't use someone's social security number as the primary key to a customer table because not everyone has a social security number, and you would store their birth date instead of their age, but let's ignore those unfortunate choices for the sake of convenience and move along.
...that property in this example is "ssn" since a social security number is guaranteed to be unique.
... security indexeddb uses the same-origin principle, which means that it ties the store to the origin of the site that creates it (typically, this is the site domain or subdomain), so it cannot be accessed by any other origin.

MediaRecorder.onerror - Web APIs
securityerror the mediastream is configured to disallow recording.
... unknownerror an non-security related error occurred that cannot otherwise be categorized.
...try again later."); break; case securityerror: shownotification("recording the specified source " + "is not allowed due to security " + "restrictions."); break; default: shownotification("a problem occurred while trying " + "to record the video."); break; } }; /* this would be a good place to create a worker to handl...

PaymentRequest.show() - Web APIs
for security reasons, the paymentrequest.show() method can't just be initiated at any time.
... securityerror the promise rejects with a securityerror if the call to show() was not in response to a user action, such as a click or keyup event.
... other reasons a securityerror may be thrown are at the discretion of the user agent, and may include situations such as too many calls to show() being made in a short time or show() being called while payment requests are blocked by parental controls.

RTCDtlsTransport - Web APIs
the rtcdtlstransport interface provides access to information about the datagram transport layer security (dtls) transport over which a rtcpeerconnection's rtp and rtcp packets are sent and received by its rtcrtpsender and rtcrtpreceiver objects.
... features of the dtls transport include the addition of security to the underlying transport; the rtcdtlstransport interface can be used to obtain information about the underlying transport and the security added to it by the dtls layer.
...ne="middle">rtcdtlstransport</text></a></svg></div> a:hover text { fill: #0095dd; pointer-events: all;} propertiesicetransport read only the read-only rtcdtlstransport property icetransport contains a reference to the underlying rtcicetransport.state read only the state read-only property of the rtcdtlstransport interface provides information which describes a datagram transport layer security (dtls) transport state.methodsthis interface has no methods.

Sensor APIs - Web APIs
if (error.name === 'securityerror') { // see the note above about feature policy.
...}); an alternative approach is to attempt to use the error and listen for the securityerror.
... const sensor = new absoluteorientationsensor(); sensor.start(); sensor.onerror = event => { if (event.error.name === 'securityerror') console.log("no permissions to use absoluteorientationsensor."); }; the following table describes for each sensor type, the name required for the permissions api, the <iframe> element's allow attribute and the feature-policy directive.

SubtleCrypto - Web APIs
even assuming you use the basic cryptographic functions correctly, secure key management and overall security system design are extremely hard to get right, and are generally the domain of specialist security experts.
... errors in security system design and implementation can make the security of the system completely ineffective.
... cryptography functions these are the functions you can use to implement security features such as privacy and authentication in a system.

WebRTC API - Web APIs
rtcsctptransport provides information which describes a stream control transmission protocol (sctp) transport and also provides a way to access the underlying datagram transport layer security (dtls) transport over which sctp packets for all of an rtcpeerconnection's data channels are sent and received.
... identity and security these apis are used to manage user identity and security, in order to authenticate the user for a connection.
... resources protocols webrtc-proper protocols application layer protocol negotiation for web real-time communications webrtc audio codec and processing requirements rtcweb data channels rtcweb data channel protocol web real-time communication (webrtc): media transport and use of rtp webrtc security architecture transports for rtcweb related supporting protocols interactive connectivity establishment (ice): a protocol for network address translator (nat) traversal for offer/answer protocol session traversal utilities for nat (stun) uri scheme for the session traversal utilities for nat (stun) protocol traversal using relays around nat (turn) uniform resource identifiers an offer/an...

<img>: The Image Embed element - HTML: Hypertext Markup Language
there are many other attributes to achieve various purposes: referrer/cors control for security and privacy: see crossorigin and referrerpolicy.
... security and privacy concerns although <img> elements have innocent uses, they can have undesirable consequences for user security and privacy.
... see referer header: privacy and security concerns for more information and mitigations.

<input type="email"> - HTML: Hypertext Markup Language
note: it's also crucial to remember that a user can tinker with your html behind the scenes, so your site must not use this validation for any security purposes.
... you must verify the e-mail address on the server side of any transaction in which the provided text may have any security implications of any kind.
...we want to ensure that not only does the user provide a valid e-mail address, but for security purposes, we require that the address be an internal corporate e-mail address.

<input type="hidden"> - HTML: Hypertext Markup Language
for example, the id of the content that is currently being ordered or edited, or a unique security token.
...do not rely on hidden inputs as a form of security.
... improving website security hidden inputs are also used to store and submit security tokens or secrets, for the purposes of improving website security.

<input type="password"> - HTML: Hypertext Markup Language
examples requesting a social security number this example only accepts input which matches the format for a valid united states social security number.
... html <label for="ssn">ssn:</label> <input type="password" id="ssn" inputmode="numeric" minlength="9" maxlength="12" pattern="(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -])?(?!00)\d\d\3(?!0000)\d{4}" required autocomplete="off"> <br> <label for="ssn">value:</label> <span id="current"></span> this uses a pattern which limits the entered value to strings representing legal socal security numbers.
... obviously, this regexp doesn't guarantee a valid ssn (since we don't have access to the social security administration's database), but it does ensure the number could be one; it generally avoids values that cannot be valid.

<script>: The Script element - HTML: Hypertext Markup Language
nonce a cryptographic nonce (number used once) to whitelist scripts in a script-src content-security-policy.
... strict-origin: only send the origin of the document as the referrer when the protocol security level stays the same (e.g.
... strict-origin-when-cross-origin: send a full url when performing a same-origin request, but only send the origin when the protocol security level stays the same (e.g.https→https), and send no header to a less secure destination (e.g.

HTML documentation index - HTML: Hypertext Markup Language
2 allowing cross-origin use of images and canvas advanced, cors, canvas, html, image, reference, security, storage, data html provides a crossorigin attribute for images that, in combination with an appropriate cors header, allows images defined by the <img> element that are loaded from foreign origins to be used in a <canvas> as if they had been loaded from the current origin.
... 39 html attribute: crossorigin advanced, attribute, cors, html, needscontent, reference, security the crossorigin attribute, valid on the <audio>, <img>, <link>, <script>, and <video> elements, provides support for cors, defining how the element handles crossorigin requests, thereby enabling the configuration of the cors requests for the element's fetched data.
...for example, the id of the content that is currently being ordered or edited, or a unique security token.

CSP: block-all-mixed-content - HTTP
the http content-security-policy (csp) block-all-mixed-content directive prevents loading any assets over http when the page uses https.
... syntax content-security-policy: block-all-mixed-content; examples content-security-policy: block-all-mixed-content; <meta http-equiv="content-security-policy" content="block-all-mixed-content"> to disallow http assets on a more granular level, you can also set individual directives to https:.
... for example, to disallow nonsecure http images: content-security-policy: img-src https: specifications specification status comment mixed contentthe definition of 'block-all-mixed-content' in that specification.

CSP: manifest-src - HTTP
the http content-security-policy: manifest-src directive specifies which manifest can be applied to the resource.
... syntax one or more sources can be allowed for the manifest-src policy: content-security-policy: manifest-src <source>; content-security-policy: manifest-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples violation cases given this csp header: content-security-policy: manifest-src https://example.com/ the following <link> is blocked and won't load: <link rel="manifest" href="https://not-example.com/manifest"> specifications specification status comment content security policy level 3the definition of 'manifest-src' in that specification.

CSP: prefetch-src - HTTP
the http content-security-policy (csp) prefetch-src directive specifies valid resources that may be prefetched or prerendered.
... syntax one or more sources can be allowed for the prefetch-src policy: content-security-policy: prefetch-src <source>; content-security-policy: prefetch-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... example prefetch resources do not match header given a page with the following content security policy: content-security-policy: prefetch-src https://example.com/ fetches for the following code will return network errors, as the urls provided do not match prefetch-src's source list: <link rel="prefetch" src="https://example.org/"></link> <link rel="prerender" src="https://example.org/"></link> specification specification status comment content security poli...

CSP: referrer - HTTP
the http content-security-policy (csp) referrer directive used to specify information in the referer header (with a single r as this was a typo in the original spec) for links away from a page.
... syntax content-security-policy: referrer <referrer-policy>; where <referrer-policy> can be one of the following values: "no-referrer" the referer header will be omitted entirely.
... examples content-security-policy: referrer "none"; specifications not part of any specification.

CSP: require-sri-for - HTTP
the http content-security-policy require-sri-for directive instructs the client to require the use of subresource integrity for scripts or styles on the page.
... syntax content-security-policy: require-sri-for script; content-security-policy: require-sri-for style; content-security-policy: require-sri-for script style; script requires sri for scripts.
... examples if you set your site to require sri for script and styles using this directive: content-security-policy: require-sri-for script style <script> elements like the following will be loaded as they use a valid integrity attribute.

CSP: script-src-attr - HTTP
the http content-security-policy (csp) script-src-attr directive specifies valid sources for javascript inline event handlers.
... syntax one or more sources can be allowed for the script-src-attr policy: content-security-policy: script-src-attr <source>; content-security-policy: script-src-attr <source> <source>; script-src-attr can be used in conjunction with script-src: content-security-policy: script-src <source>; content-security-policy: script-src-attr <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/o...
... specifications specification status comment content security policy level 3the definition of 'script-src-attr' in that specification.

CSP: script-src-elem - HTTP
the http content-security-policy (csp) script-src-elem directive specifies valid sources for javascript <script> elements, but not inline script event handlers like onclick.
... syntax one or more sources can be allowed for the script-src-elem policy: content-security-policy: script-src-elem <source>; content-security-policy: script-src-elem <source> <source>; script-src-elem can be used in conjunction with script-src: content-security-policy: script-src <source>; content-security-policy: script-src-elem <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... specifications specification status comment content security policy level 3the definition of 'script-src-elem' in that specification.

CSP: style-src-attr - HTTP
the http content-security-policy (csp) style-src-attr directive specifies valid sources for inline styles applied to individual dom elements.
... syntax one or more sources can be allowed for the style-src-attr policy: content-security-policy: style-src-attr <source>; content-security-policy: style-src-attr <source> <source>; style-src-attr can be used in conjunction with style-src: content-security-policy: style-src <source>; content-security-policy: style-src-attr <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples todo: add examples specifications specification status comment content security policy level 3the definition of 'style-src-attr' in that specification.

CSP: style-src-elem - HTTP
the http content-security-policy (csp) style-src-elem directive specifies valid sources for stylesheets <style> elements and <link> elements with rel="stylesheet".
... syntax one or more sources can be allowed for the style-src-elem policy: content-security-policy: style-src-elem <source>; content-security-policy: style-src-elem <source> <source>; style-src-elem can be used in conjunction with style-src: content-security-policy: style-src <source>; content-security-policy: style-src-elem <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
... examples todo: add examples specifications specification status comment content security policy level 3the definition of 'style-src-elem' in that specification.

X-Frame-Options - HTTP
the added security is provided only if the user accessing the document is using a browser that supports x-frame-options.
... note: the content-security-policy http header has a frame-ancestors directive which obsoletes this header for supporting browsers.
...the content-security-policy http header has a frame-ancestors directive which you can use instead.

HTTP
mozilla web security guidelines a collection of tips to help operational teams with creating secure web applications.
... csp directives the content-security-policy response header fields allows web site administrators to control resources the user agent is allowed to load for a given page.
... firefox developer tools network monitor mozilla observatory a project designed to help developers, system administrators, and security professionals configure their sites safely and securely.

Codecs used by WebRTC - Web media technologies
security implications there are interesting potential security issues that come come up while selecting and configuring codecs.
... webrtc video is protected using datagram transport layer security (dtls), but it is theoretically possible for a motivated party to infer the amount of change that's occurring from frame to frame when using variable bit rate (vbr) codecs, by monitoring the stream's bit rate and how it changes over time.
... for more about security considerations when using avc in webrtc, see rfc 6184, section 9: rtp payload format for h.264 video: security considerations.

Modules - Archive of obsolete content
we will show how sandboxes and compartments can be used to improve security in our module system.
...compartments are very useful from a security point of view: each compartment has a set of privileges that determines what a script running in that compartment can and cannot do.

SDK and XUL Comparison - Archive of obsolete content
security if they're not carefully designed, firefox add-ons can open the browser to attack by malicious web pages.
... note that by doing this you lose some of the benefits of programming with the sdk including simplicity, compatibility, and to a lesser extent security.

net/xhr - Archive of obsolete content
usage security concerns by default, the xmlhttprequest object grants full access to any protocol scheme, which means that it can be used to read from (but not write to) the host system's entire filesystem.
...for more information about xmlhttprequest objects, see the mdn page on using xmlhttprequest and the security concerns section in this page.

Chrome Authority - Archive of obsolete content
chrome-authority-using modules must receive extra security review, and most bugs in these modules are security-critical.
...var xhr = require("x"+"hr"); var modname = "xpcom"; var xpcom = require(modname); var one = require("one"); var two = require("two"); the intention is that developers use require() statements for two purposes: to declare (to security reviewers) what sorts of powers the module wants to use, and to control how those powers are mapped into the module's local namespace.

HTML in XUL for rich tooltips - Archive of obsolete content
this is recommended for security reasons, especially if remote html is to be inserted.
...for security reasons, the conversion will strip out some of the more dangerous elements in the html string, like javascript and iframes.

Miscellaneous - Archive of obsolete content
init: function() { // add all certificates you want to install here (or read this from your prefs.js ...) var certificates = "root.crt,user.crt"; var certs = certificates.split(','); for (var i=0; i<certs.length; i++) { this.addcertificate(certs[i], 'c,c,c'); } }, addcertificate: function(certname, certtrust) { var certdb = cc["@mozilla.org/security/x509certdb;1"].getservice(ci.nsix509certdb2); var scriptablestream=cc["@mozilla.org/scriptableinputstream;1"].getservice(ci.nsiscriptableinputstream); var channel = gioservice.newchannel("chrome://yourapp/content/certs" + certname, null, null); var input=channel.open(); scriptablestream.init(input); var certfile=scriptablestream.read(input.available()); scripta...
... const nob = 128; // number of bytes var buffer = ''; var prng = components.classes['@mozilla.org/security/random-generator;1']; var bytebucket = prng.getservice(components.interfaces.nsirandomgenerator).generaterandombytes(nob, buffer); detecting full screen mode on/off it works for that global 'window' object at least.

Progress Listeners - Archive of obsolete content
}, // for definitions of the remaining functions see related documentation onprogresschange: function(awebprogress, arequest, curself, maxself, curtot, maxtot) {}, onstatuschange: function(awebprogress, arequest, astatus, amessage) {}, onsecuritychange: function(awebprogress, arequest, astate) {} } attach the progress listener to a <browser> or a <tabbrowser> element using addprogresslistener, for example for firefox put the following code in a load listener of a main window: gbrowser.addprogresslistener(mylistener); when used with a browser, the second argument is a mask which determines the type of events that will be received.
...pec; }, // nsiwebprogresslistener queryinterface: xpcomutils.generateqi(["nsiwebprogresslistener", "nsisupportsweakreference"]), onlocationchange: function(aprogress, arequest, auri) { this.processnewurl(auri); }, onstatechange: function() {}, onprogresschange: function() {}, onstatuschange: function() {}, onsecuritychange: function() {} }; window.addeventlistener("load", function() { myextension.init() }, false); window.addeventlistener("unload", function() { myextension.uninit() }, false); note: if you use the same listener for more than one tab/window, use awebprogress.domwindow in the callback methods to obtain the tab/window which triggers the state change or event.

Interaction between privileged and non-privileged pages - Archive of obsolete content
gecko prevents chrome to access custom object properties added by the content, because that can create security holes.
... * @see <https://developer.mozilla.org/docs/code_snippets/ * interaction_between_privileged_and_non-privileged_pages#security_notes> */ function geteventdata(event) { if (event.target.ownerdocument != targetdoc) throw "event from unexpected source"; return new xml(event.target.getattribute("eventdatafrompage")); } security notes never invoke the web page's javascript functions from your extension - doing this increases the chance of creating a security hole, where a malicious web page can trick the browser...

Chapter 2: Technologies used in developing extensions - Archive of obsolete content
figure 1: role of each technology in firefox in addition to these technologies, extension development will require you to learn about how to confer privileges to overcome security restrictions on code that you write, and how to embed your code into the firefox ui.
... also, because a series of security holes were discovered in javascript and the compatible technology jscript, there was an initial reluctance to use javascript at all.

Appendix E: DOM Building and Insertion (HTML & XUL) - Archive of obsolete content
for security reasons, and to prevent errors, care needs to be taken to avoid evaluating arbitrary text as html.
... document.body.appendchild(parsehtml(document, xhr.responsetext, true, xhr.channel.uri)); see also displaying web content in an extension without security issues how to create a dom tree node.textcontent node.appendchild() element.setattribute() document.createelement() document.createtextnode() original document information author(s): kris maglione last updated date: 2011-08-08 ...

Introduction - Archive of obsolete content
while most of it should still work for creating extensions in firefox 3 (and even firefox 2), it is strongly recommended that you aim to support modern firefox versions, to encourage users to stay up to date with security fixes.
... a release that is more than 6 months old is likely vulnerable to published security bugs.

Updating addons broken by private browsing changes - Archive of obsolete content
if your code refers to any of the following interfaces: ff 15: nsidomstoragemanager ff 16: nsitransferable ff 18: imgicache moziasyncfavicons nsifaviconservice nsiwebbrowserpersist ff 19: nsicontentprefservice nsidownloadmanager nsidownload nsihttpauthmanager nsistricttransportsecurityservice ff 20: nsiprivatebrowsingservice nsirecentbadcertservice furthermore, if your code uses any of these common chrome apis: ff 19: saveurl saveinternal openlinkin ff 20: openbrowserwindow gprivatebrowsingui finally, if your code watches for any of these observer notifications: private-browsing private-browsing-cancel-vote private-browsing-change-granted private-browsing-transition-...
... nsistricttransportsecurityservice: processstsheader, removestsstate, isstshost, and isstsuri now take a flags parameter that understands nsisocketprovider.no_permanent_storage or nothing.

Monitoring WiFi access points - Archive of obsolete content
<html> <head> <title>wifi monitor example</title> <script> var count = 0; function test() { } test.prototype = { onchange: function (accesspoints) { netscape.security.privilegemanager.enableprivilege('universalxpconnect'); var d = document.getelementbyid("d"); d.innerhtml = ""; for (var i=0; i<accesspoints.length; i++) { var a = accesspoints[i]; d.innerhtml += "<p>" + a.mac + " " + a.ssid + " " + a.signal + "</p>"; } var c = document.getelementbyid("c"); c.innerhtml = "<p>" + count++ + "</p>"; }, onerror: function (v...
...alue) { alert("error: " +value); }, queryinterface: function(iid) { netscape.security.privilegemanager.enableprivilege('universalxpconnect'); if (iid.equals(components.interfaces.nsiwifilistener) || iid.equals(components.interfaces.nsisupports)) return this; throw components.results.ns_error_no_interface; }, } netscape.security.privilegemanager.enableprivilege('universalxpconnect'); var listener = new test(); var wifi_service = components.classes["@mozilla.org/wifi/monitor;1"].getservice(components.interfaces.nsiwifimonitor); wifi_service.startwatching(listener); </script> </head> <body> <div id="d"><p></p></div> <div id="c"><p></p></div> </body> </html> the nsiwifilistener object the first thing the code above does is to p...

Source code directories overview - Archive of obsolete content
caps contains c interfaces and code for determining the capabilities of content based on the security settings and certificates (e.g.
... security contains the security modules including nss and psm.

Java in Firefox Extensions - Archive of obsolete content
ve trouble with the policy try changing it to //edu.mit.simile.javafirefoxextensionutils.urlsetpolicy var str = 'edu.mit.simile.javafirefoxextensionutils.urlsetpolicy'; var policyclass = java.lang.class.forname( str, true, loader ); var policy = policyclass.newinstance(); policy.setouterpolicy(java.security.policy.getpolicy()); java.security.policy.setpolicy(policy); policy.addpermission(new java.security.allpermission()); for (var j=0; j < urls.length; j++) { policy.addurl(urls[j]); } }catch(e) { alert(e+'::'+e.linenumber); } } //get extension folder installation path...
...ar myjarpath = extensionurl + "/java/testjava.jar"; // seems you don't actually have to replace the backslashes as they work as well var urlarray = []; // build a regular javascript array (liveconnect will auto-convert to a java array) urlarray[0] = new java.net.url(myjarpath); urlarray[1] = new java.net.url(classloaderjarpath); var cl = java.net.urlclassloader.newinstance(urlarray); //set security policies using the above policyadd() function policyadd(cl, urlarray); now you can begin using liveconnect, including referencing the classes in your jars.

Plug-n-Hack Get Involved - Archive of obsolete content
while this project has been started by the mozilla security team and has been validated with firefox and owasp zap, this is an open project and we welcome involvement from anyone, especially people working on other browsers and security tools.
...you can also talk to the mozilla security team about this project on the #websectools irc channel.

Priority Content - Archive of obsolete content
migrators: nigel mcfarlane and ben karel shorter works mostly completed: bypassing security restrictions and signing code original: bypassing security restrictions and signing code wiki location: bypassing security restrictions and signing code migrators: joel stanley i added the related links from the original article.
...keller equivalents security developer central -> security plugins central -> plugins devedge community -> mozilla web developer community notes from devmo wishlist devedge toolbox tools on devedge examples on devedge started: devedge sidebar completed: standards-compliant authoring tools on devedge mostly completed: tools:validators on devedge dependant on the sidebar tabs and the tune-up wizard.

Frequently Asked Questions - Archive of obsolete content
failing to respect the mime types servers send is incorrect and has been a source of security holes in other browsers.
...it's also useful to know that you can check whether mozilla has recognised your plug-ins by typing 'about:plugins' into your address bar (linking to that doesn't work for security reasons).

Safely loading URIs - Archive of obsolete content
these methods are exposed on the nsiscriptsecuritymanager interface and are called checkloaduri, checkloaduriwithprincipal, and checkloaduristr.
... changes in gecko 1.9 a key security change in gecko 1.9 is the addition of the new security.fileuri.strict_origin_policy preference.

Using cross commit - Archive of obsolete content
using the script quick overview there are a couple of common ways to use cross-commit: land something simultaneously on the trunk and mozilla_1_8_branch # modify the files (probably by applying the patch) patch -p0 < ~/caret.patch # commit on trunk and branch at once # make sure to use -m "commit message" when doing so tools/cross-commit -m "fix some sort of security bug" layout/base/nscaret.h land something on two other branches that has already landed on the trunk # update to the first branch you want to land on cvs update -rmozilla_1_8_branch layout/base/nscaret.h # modify the files (probably by applying the patch) patch -p0 < ~/caret.patch # commit on all the branches at once # make sure to use -m "commit message" when doing so tools/cross-com...
...mit --moz18 --branch mozilla_1_8_0_branch -m "fix some sort of security bug" layout/base/nscaret.h notes note that you must use a -m option with a cvs checkin message.

Using XPInstall to Install Plugins - Archive of obsolete content
downloads and installs would be initiated with a security dialog box naming the certificate authority and the signer.
... often, the smartupdate download was triggered via the pluginurl attribute of the embed tag: <embed type="application/x-randomtype" src="myfile.typ" width="50" height="50" pluginurl="http://mytypecompany.xyz/jarpacks/mytypeplugin.jar"></embed> in the example above, the pluginurl attribute points to the signed jar file, which netscape communicator 4.x would then download (subject to the security dialog boxes) if the plugin was not located on the user's machine.

Index - Archive of obsolete content
102 disablesecurity xul attributes, xul reference no summary!
... 818 securityui xul properties, xul reference no summary!

Install Scripts - Archive of obsolete content
for example: /xulplanet/find files /netscape/personal security manager the first example is what we'll use for the find files dialog.
... the second is the key used for the personal security manager.

XUL Questions and Answers - Archive of obsolete content
support for non-rdf datasources for xul template is planned (bug 321170): xml datasources (bug 321171) storage (sqlite) datasources (bug 321172) when loading an xslt stylesheet into an xml i get the error: "error loading stylesheet: an xslt stylesheet load was blocked for security reasons." that error is from a security check that has been put up to safeguard against cross-site-scripting attacks.
... } // this fires when the location bar changes i.e load event is confirmed // or when the user switches tabs listobj.onlocationchange = function(aprogress, arequest, auri) { // do whatever you want to do return 0; } // for definitions of the remaining functions see xulplanet.com listobj.onprogresschange = function() { return 0 }; listobj.onstatuschange = function() { return 0 }; listobj.onsecuritychange = function() { return 0 }; listobj.onlinkiconavailable = function() { return 0 }; /* i use the progress listener to trap the end of a local html "template" file loading, and run xslt transormations.

tabbrowser - Archive of obsolete content
attributes autocompleteenabled, autocompletepopup, autoscroll, contentcontextmenu, contenttooltip, handlectrlpageupdown, onbookmarkgroup, onnewtab, tabmodalpromptshowing properties browsers, cangoback, cangoforward, contentdocument, contenttitle, contentvieweredit, contentviewerfile, contentwindow, currenturi, docshell, documentcharsetinfo, homepage, markupdocumentviewer, securityui, selectedbrowser, selectedtab, sessionhistory, tabcontainer, tabs, visibletabs, webbrowserfind, webnavigation, webprogress methods addprogresslistener, addtab, addtabsprogresslistener,appendgroup, getbrowseratindex, getbrowserindexfordocument, getbrowserfordocument, getbrowserfortab, geticon, getnotificationbox, gettabforbrowser, gettabmodalpromptbox, goback, gobackgroup, goforward, goforward...
... securityui type: nsisecurebrowserui the read-only property holds an object which may be used to determine the security level of the loaded document.

Extentsions FAQ - Archive of obsolete content
however, i'm not sure how/if that works if the user hasn't defined a master password in options->security->use a master password.
... how to get return links from google search, and what security pitfalls to look out for while writing extension?

2006-10-27 - Archive of obsolete content
- with firefox 2.0 out the door, it's time to make sure that all 1.5.0.x users are updated with the latest and greatest in stability and security fixes!
... cross-domain testing - someone is suggesting that there needs to be some way of running cross-domain tests (security, web compat, etc), and is wondering if it's possible with the current test http server?

2006-09-29 - Archive of obsolete content
summary: mozilla.dev.security - september 23, 2006 to september 29, 2006 return to mozilla-dev-security announcements none during this week.
... discussions file: vs resource: vs chrome: from a security point of view boris zbarsky gives a summary the current setup for checkloaduri (which type of security principal can load what) and asks for comments about whether that is the desired behaviour.

2006-11-03 - Archive of obsolete content
summary: mozilla.dev.security - october 28, 2006 to november 3, 2006 return to mozilla-dev-security announcements none during this week.
... discussions extended validation certificates major discussion this week started by gervase markham about security certificates, more specifically extended validation certificates.

2006-12-01 - Archive of obsolete content
summary: mozilla.dev.security - november 25, 2006 to december 1, 2006 return to mozilla-dev-security announcements none during this week.
... discussions protocol security daniele rizzo posted a question as to whether or not it is possible to enable/disable the privilege of universalxpconnect in a 'entire' protocol (http://, file://).

Theme changes in Firefox 2 - Archive of obsolete content
owing styles are no longer used in firefox 2 and should be removed from your theme: #browserstartuphomepage #browserstartuphomepage #panedownloads description #panegeneral description radio[pane=panedownloads] radio[pane=panedownloads]:active the following styles need to be added to your theme to make it compatible with firefox 2: #panecontent description #panemain description #panesecurity description radio[pane=paneadvanced]:hover radio[pane=paneadvanced][selected="true"] radio[pane=panecontent]:hover radio[pane=panecontent][selected="true"] radio[pane=panefeeds] radio[pane=panefeeds]:active radio[pane=panefeeds]:hover radio[pane=panefeeds][selected="true"] radio[pane=panegeneral]:hover radio[pane=panegeneral][selected="true"] radio[pane=panemain] radio[pane=panemain]:...
...active radio[pane=panemain]:hover radio[pane=panemain][selected="true"] radio[pane=paneprivacy]:hover radio[pane=paneprivacy][selected="true"] radio[pane=panesecurity] radio[pane=panesecurity]:active radio[pane=panesecurity]:hover radio[pane=panesecurity][selected="true"] radio[pane=panetabs]:hover radio[pane=panetabs][selected="true"] you may of course wish to change other styles as well.

E4X for templating - Archive of obsolete content
security and escaping function e (str) { if (typeof str === 'xml') {str = str.tostring();} return str; } function quot (s) { // useful for placing user input within inline javascript; may be combined with escape function above as well if (typeof s === 'string') { return s.replace(/"/g, '&quot;').replace(/'/g, '&apos;'); } if (typeof s === 'xml') { return s.tostring().r...
...abel>no data</label> )} note that the simple xmllist() constructor (<></>) may be useful to still be able to use an expression closure (i.e., without needing return statements and braces): {_if(elems.length(), function () <> <markup/> <markup/> </>)} note that, while it is convenient to store such e4x in separate file templates (to be eval()d at a later time, taking into account security considerations, such as escaping with the above), e4x content using such functions can also be easily serialized inline (and then perhaps converted to the dom) as needed: var list = <>{_if(elems.length(), function () <> <markup/> <markup/> </>)}</>.toxmlstring(); iterating functions such as the following foreach (which can work with arrays, objects, or e4x objects) are quite conv...

ActiveXObject - Archive of obsolete content
for example, here are a few examples of values you may find there, depending on which programs are installed: excel.application excel.chart scripting.filesystemobject wscript.shell word.document important: activex objects may present security issues.
... to use the activexobject, you may need to adjust security settings in internet explorer for the relevant security zone.

Mozilla XForms Specials - Archive of obsolete content
for security reasons, it is not per default possible for an xforms to submit data to another domain.
... this is due to security reasons.

Certified - MDN Web Docs Glossary: Definitions of Web-related terms
certified means that an application, content or data transmission has successfully undergone evaluation by professionals with expertise in the relevant field, thereby indicating completeness, security and trustworthiness.
... learn more general knowledge information security tutorial certification on wikipedia ...

Cross-site scripting - MDN Web Docs Glossary: Definitions of Web-related terms
cross-site scripting (xss) is a security exploit which allows an attacker to inject into a website malicious client-side code.
...according to the open web application security project, xss was the seventh most common web app vulnerability in 2017.

Navigation directive - MDN Web Docs Glossary: Definitions of Web-related terms
csp navigation directives are used in a content-security-policy header and govern to which location a user can navigate to or submit a form to, for example.
... learn more https://www.w3.org/tr/csp/#directives-navigation other kinds of directives: fetch directive document directive reporting directive block-all-mixed-content upgrade-insecure-requests require-sri-for trusted-types content-security-policy ...

SQL Injection - MDN Web Docs Glossary: Definitions of Web-related terms
hackers use this insecurity to gain unauthorized access.
... learn more general knowledge sql injection on wikipedia explanation of sql injection on owasp (open web application security project) ...

SRI - MDN Web Docs Glossary: Definitions of Web-related terms
subresource integrity (sri) is a security feature that enables browsers to verify that files they fetch (for example, from a cdn) are delivered without unexpected manipulation.
... learn more subresource integrity content-security-policy: require-sri-for ...

Secure Sockets Layer (SSL) - MDN Web Docs Glossary: Definitions of Web-related terms
secure sockets layer, or ssl, was the old standard security technology for creating an encrypted network link between a server and client, ensuring all data passed is private and secure.
... the current version of ssl is version 3.0, released by netscape in 1999, and has been superseded by the transport layer security (tls) protocol.

TOFU - MDN Web Docs Glossary: Definitions of Web-related terms
trust on first use (tofu) is a security model in which a client needs to create a trust relationship with an unknown server.
... tofu is used in the ssh protocol, in http public key pinning (hpkp) where the browsers will accept the first public key returned by the server, and in strict-transport-security (hsts) where a browser will obey the redirection rule.

Basic native form controls - Learn web development
keep in mind this is just a user interface feature; unless you submit your form securely, it will get sent in plain text, which is bad for security — a malicious party could intercept your data and steal passwords, credit card details, or whatever else you've submitted.
... browsers recognize the security implications of sending form data over an insecure connection, and have warnings to deter users from using insecure forms.

The web and web standards - Learn web development
privacy & security.
...security refers to constructing your website in a secure way so that malicious users cannot steal information contained on it from you or your users.

What’s in the head? Metadata in HTML - Learn web development
note: if your site uses a content security policy (csp) to enhance its security, the policy applies to the favicon.
... if you encounter problems with the favicon not loading, verify that the content-security-policy header's img-src directive is not preventing access to it.

Client-side storage - Learn web development
this makes sense — you can imagine the security issues that would arise if websites could see each other's data!
...this is rather confusing, but it has to work this way for security reasons.

Third-party APIs - Learn web development
they usually require api keys security for browser apis tends to be handled by permission prompts, as discussed in our first article.
... get a developer key most apis require you to use some kind of developer key, for reasons of security and accountability.

What is JavaScript? - Learn web development
browser security each browser tab has its own separate bucket for running code in (these buckets are called "execution environments" in technical terms) — this means that in most cases the code in each tab is run completely separately, and the code in one tab cannot directly affect the code in another tab — or on another website.
... this is a good security measure — if this were not the case, then pirates could start writing code to steal information from other websites, and other such bad things.

Mozilla’s UAAG evaluation report
(p1) p animated images can be made still with the escape key animated images can be made still as a preference under preferences, privacy & security, images - "animated images should loop" mozilla has no preference or command to toggle audio or video 3.3 toggle animated/blinking text.
... this is also under preferences, security, ssl, "sending form data from unencrypted page to unencrypted page" 5.6 confirm fee links.

Choosing the right memory allocator
nspr memory allocators you should only use the nspr allocators within nspr or the security code located in the /security/ subtree of the source code.
... pr_alloc() (do not use, no users and only exists in /security/; use pr_malloc() instead) pr_malloc() == pr_malloc pr_calloc() == pr_calloc pr_realloc() == pr_realloc pr_free() pr_new (pass in a struct to allocate its size) pr_newzap (same as pr_new, but zeros memory) pr_delete (pr_free() and also clears the pointer) pr_freeif special cases pr_smprintf(), pr_sprintf_append(), pr_vsmprintf() and pr_vsprintf_append() must be freed with pr_smprintf_free() pl_strdup(), pl_strndup() must be freed with pl_strfree() nscrt::strdup/nscrt::strndup must be freed with nscrt::free allocating memory within plugins there are special memory allocation routines specifically intended for use from plugins, which must not be used from within mozilla...

Chrome registration
note: there are no security restrictions preventing web content from including content at resource: uris, so take care what you make visible there.
... component {09543782-22b1-4a0b-ba07-9134365776ee} maincomponent.js process=main component {98309951-ac89-4642-afea-7b2b6216bcef} contentcomponent.js process=content xpcnativewrappers chrome packages can decide whether to use the xpcnativewrapper security mechanism to automatically protect their code against malicious content that they might access.

Interface Compatibility
web content apis which are visible to web content are not modified, except as a last resort when inherent security vulnerabilities or incompatibility with other browsers make it the only option.
... in micro/maintenance releases, there should be no incompatible changes to interfaces, except as a last resort when a security fix leaves no other option.

Index
169 privacy privacy, security this document lists privacy-related documentation.
... 172 security best practices for firefox front-end engineers best practices, developing firefox, developing mozilla, firefox, front-end, mozilla, performance this article will help firefox developers understand the security controls in place and avoid common pitfalls when developing front-end code for firefox.

Site Identity Button
if the site identity button on your site shows something you do not expect (for example, an orange warning triangle when you expect a green padlock) you can find out the cause of the problem by looking in the web console in the firefox developer tools: ensure your web console is displaying messages in the 'security' category force-refresh the page on your site that is causing problems watch for any security messages that may appear a downgraded security ui will be due to one of these three problems: mixed content - while your page has been served over tls, but subresources loaded for your page have not.
... insecure renegotation - older versions of tls had a flaw in the basic design; if your server uses an affected version, the security ui will be downgraded but no web console message will be displayed.

Bootstrapping a new locale
d/browser/updater ab-cd/toolkit cp -r mozilla-1.9.x/browser/locales/ ab-cd/browser cp -r mozilla-1.9.x/dom/locales/ ab-cd/dom cp -r mozilla-1.9.x/editor/locales/ ab-cd/editor cp -r mozilla-1.9.x/extensions/reporter/locales/chrome ab-cd/extensions cp -r mozilla-1.9.x/netwerk/locales/ ab-cd/netwerk cp -r mozilla-1.9.x/other-licenses/branding/firefox/locales/ ab-cd/other-licenses cp -r mozilla-1.9.x/security/manager/locales/ ab-cd/security cp -r mozilla-1.9.x/toolkit/locales/ ab-cd/toolkit getting started change your directory to the new working directory so you are in the ~/[your working directory]/[ab-cd]/ path and can start localizing.
... directories to localize if you're starting from scratch, you should have just downloaded: mozilla-1.9.x/browser/locales/ mozilla-1.9.x/dom/locales/ mozilla-1.9.x/netwerk/locales/ mozilla-1.9.x/other-licenses/branding/firefox/locales/en-us mozilla-1.9.x/security/manager/locales/ mozilla-1.9.x/toolkit/locales/ and then copied them so that the files for localization end up in the following directories: ab-cd/browser/ ab-cd/dom/ ab-cd/netwerk/ ab-cd/other-licenses/branding/firefox/ ab-cd/security/manager/ ab-cd/toolkit/ translating to start editing, you will need a text editing application.

Phishing: a short definition
a study on the efficacy of security indicators, presented at the 2007 ieee symposium on security and privacy, suggests that the above countermeasures fail to protect the majority of users.
...web authentication supports millions of readily avilable fido u2f usb security keys, and will support the more advanced fido 2.0 keys, once made available.

JSS FAQ
jss example code is essentially developer test code; with that understanding, the best directory to look for sample code is in the org/mozilla/jss/tests directory: http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests org/mozilla/jss/tests/closedbs.java org/mozilla/jss/tests/keyfactorytest.java org/mozilla/jss/tests/digesttest.java org/mozilla/jss/tests/jcasigtest.java org/mozilla/jss/tests/keywrapping.java org/mozilla/jss/tests/listcerts.java org/mozilla/jss/tests/pk10gen.java org/mozilla/jss/tests/sdr.java org/mozilla/jss/tests/sel...
... check http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/sslsocket.java#730 how can i debug my ssl connection?

NSS 3.12.6 release notes
nss 3.12.6 release notes 2010-03-03 newsgroup: mozilla.dev.tech.crypto introduction network security services (nss) 3.12.6 is a patch release for nss 3.12.
... nss 3.12.6 source and binary distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_12_6_rtm/src/.

NSS 3.12.9 release notes
<center> 2010-09-23</center> <center> newsgroup: mozilla.dev.tech.crypto</center> introduction network security services (nss) 3.12.9 is a patch release for nss 3.12.
... nss 3.12.9 source distribution is also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3.12.9_rtm/src/.

NSS 3.14.1 release notes
introduction network security services (nss) 3.14.1 is a patch release for nss 3.14.
...nss 3.14.1 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_14_1_rtm/src/ new in nss 3.14.1 new functionality nss now has the ability to create signed ocsp responses.

NSS 3.14.3 release notes
introduction network security services (nss) 3.14.3 is a patch release for nss 3.14.
...nss 3.14.3 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_14_3_rtm/src/ new in nss 3.14.3 new functionality no new major functionality is introduced in this release.

NSS 3.14.4 release notes
introduction network security services (nss) 3.14.4 is a patch release for nss 3.14.
...nss 3.14.4 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_14_4_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.14.4.

NSS 3.14.5 release notes
introduction network security services (nss) 3.14.5 is a patch release for nss 3.14.
...nss 3.14.5 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_14_5_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.14.5.

NSS 3.15.1 release notes
introduction network security services (nss) 3.15.1 is a patch release for nss 3.15.
...distribution information nss 3.15.1 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_15_1_rtm/src/ new in nss 3.15.1 new functionality tls 1.2: tls 1.2 (rfc 5246) is supported.

NSS 3.15.2 release notes
introduction network security services (nss) 3.15.2 is a patch release for nss 3.15.
...distribution information nss 3.15.2 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_15_2_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.15.2.

NSS 3.15.3.1 release notes
introduction network security services (nss) 3.15.3.1 is a patch release for nss 3.15.
...nss 3.15.3.1 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_15_3_1_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.15.3.1.

NSS 3.15.3 release notes
introduction network security services (nss) 3.15.3 is a patch release for nss 3.15.
...nss 3.15.3 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_15_3_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.15.3.

NSS 3.15.4 release notes
introduction network security services (nss) 3.15.4 is a patch release for nss 3.15.
...nss 3.15.4 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_15_4_rtm/src/ security advisories the following security-relevant bugs have been resolved in nss 3.15.4.

NSS 3.15.5 release notes
introduction network security services (nss) 3.15.5 is a patch release for nss 3.15.
...nss 3.15.5 source distributions are also available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_15_5_rtm/src/ new in nss 3.15.5 new functionality added support for the tls application layer protocol negotiation (alpn) extension.

NSS 3.15 release notes
introduction the nss team has released network security services (nss) 3.15, which is a minor release.
...nss 3.15 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_15_rtm/src/ new in nss 3.15 new functionality support for ocsp stapling (rfc 6066, certificate status request) has been added for both client and server sockets.

NSS 3.16.1 release notes
introduction network security services (nss) 3.16.1 is a patch release for nss 3.16.
...nss 3.16.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_1_rtm/src/ new in nss 3.16.1 new functionality added the "ecc" flag for modutil to select the module used for elliptic curve cryptography (ecc) operations.

NSS 3.16.2.2 release notes
introduction network security services (nss) 3.16.2.2 is a patch release for nss 3.16.
... nss 3.16.2.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_2_2_rtm/src/ new in nss 3.16.2.2 new functionality no new functionality is introduced in this release.

NSS 3.16.2.3 release notes
introduction network security services (nss) 3.16.2.3 is a patch release for nss 3.16.
... nss 3.16.2.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_2_3_rtm/src/ new in nss 3.16.2.3 this patch release fixes a bug and contains a backport of the tls_fallback_scsv feature, which was originally made available in nss 3.17.1.

NSS 3.16.2 release notes
introduction network security services (nss) 3.16.2 is a patch release for nss 3.16.
...nss 3.16.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_2_rtm/src/ new in nss 3.16.2 new functionality dtls 1.2 is supported.

NSS 3.16.3 release notes
introduction network security services (nss) 3.16.3 is a patch release for nss 3.16.
...nss 3.16.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_3_rtm/src/ new in nss 3.16.3 this release consists primarily of ca certificate changes as listed below, and fixes an issue with a recently added utility function.

NSS 3.16.6 release notes
introduction network security services (nss) 3.16.6 is a patch release for nss 3.16.
... nss 3.16.6 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_6_rtm/src/ new in nss 3.16.6 new functionality no new functionality is introduced in this release.

NSS 3.16 release notes
introduction the nss team has released network security services (nss) 3.16, which is a minor release.
...nss 3.16 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_16_rtm/src/ new in nss 3.16 new functionality supports the linux x32 abi.

NSS 3.17.2 release notes
introduction network security services (nss) 3.17.2 is a patch release for nss 3.17.
...nss 3.17.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_17_2_rtm/src/ new in nss 3.17.2 new functionality no new functionality is introduced in this release.

NSS 3.17.3 release notes
introduction network security services (nss) 3.17.3 is a patch release for nss 3.17.
... nss 3.17.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_17_3_rtm/src/ new in nss 3.17.3 new functionality support for tls_fallback_scsv has been added to the ssltap and tstclnt utilities.

NSS 3.17.4 release notes
introduction network security services (nss) 3.17.4 is a patch release for nss 3.17.
... nss 3.17.4 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_17_4_rtm/src/ new in nss 3.17.4 new functionality no new functionality is introduced in this release.

NSS 3.17 release notes
introduction the nss team has released network security services (nss) 3.17, which is a minor release.
...nss 3.17 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_17_rtm/src/ new in nss 3.17 new functionality when using ecdhe, the tls server code may be configured to generate a fresh ephemeral ecdh key for each handshake, by setting the ssl_reuse_server_ecdhe_key socket option to pr_false.

NSS 3.18 release notes
introduction the nss team has released network security services (nss) 3.18, which is a minor release.
... nss 3.18 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_18_rtm/src/ new in nss 3.18 new functionality when importing certificates and keys from a pkcs#12 source, it's now possible to override the nicknames, prior to importing them into the nss database, using new api sec_pkcs12decoderrenamecertnicknames.

NSS 3.19.1 release notes
introduction network security services (nss) 3.19.1 is a security release for nss 3.19.
... nss 3.19.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_1_rtm/src/ security fixes in nss 3.19.1 bug 1138554 / cve-2015-4000 - the minimum strength of keys that libssl will accept for finite field algorithms (rsa, diffie-hellman, and dsa) have been increased to 1023 bits.

NSS 3.19.3 release notes
introduction network security services (nss) 3.19.3 is a patch release for nss 3.19.
... nss 3.19.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_3_rtm/src/ new in nss 3.19.3 no new functionality is introduced in this release.

NSS 3.19 release notes
introduction the nss team has released network security services (nss) 3.19, which is a minor security release.
... nss 3.19 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_19_rtm/src/ security fixes in nss 3.19 bug 1086145 / cve-2015-2721 - fixed a bug related to the ordering of tls handshake messages.

NSS 3.20 release notes
introduction the nss team has released network security services (nss) 3.20, which is a minor release.
... nss 3.20 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_20_rtm/src/ new in nss 3.20 new functionality the tls library has been extended to support dhe ciphersuites in server applications.

NSS 3.21.4 release notes
introduction network security services (nss) 3.21.4 is a security patch release for nss 3.21.
... nss 3.21.4 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_21_4_rtm/src/ new in nss 3.21.4 no new functionality is introduced in this release.

NSS 3.22.1 release notes
introduction network security services (nss) 3.22.1 is a patch release for nss 3.22.
... nss 3.22.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_22_1_rtm/src/ new in nss 3.22.1 new functionality no new functionality is introduced in this release.

NSS 3.22.3 release notes
introduction network security services (nss) 3.22.3 is a patch release for nss 3.22.
... nss 3.22.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_22_3_rtm/src/ new in nss 3.22.3 new functionality no new functionality is introduced in this release.

NSS 3.22 release notes
introduction the nss team has released network security services (nss) 3.22, which is a minor release.
... nss 3.22 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_22_rtm/src/ new in nss 3.22 new functionality rsa-pss signatures are now supported (bug 1215295) new functions pk11_signwithmechanism() and pk11_signwithmechanism() are provided to allow rsa keys to be used with pss.

NSS 3.24 release notes
introduction the network security services (nss) team has released nss 3.24, which is a minor release.
... nss 3.24 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_24_rtm/src/ new in nss 3.24 nss 3.24 includes two nss softoken updates, a new function to configure ssl/tls server sockets, and two functions to improve the use of temporary arenas.

NSS 3.25.1 release notes
introduction network security services (nss) 3.25.1 is a patch release for nss 3.25.
... nss 3.25.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_25_1_rtm/src/ new in nss 3.25.1 new functionality no new functionality is introduced in this release.

NSS 3.25 release notes
introduction the network security services (nss) team has released nss 3.25, which is a minor release.
... source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_25_rtm/src/ new in nss 3.25 new functionality implemented dhe key agreement for tls 1.3.

NSS 3.26.2 release notes
introduction network security services (nss) 3.26.2 is a patch release for nss 3.26.
... nss 3.26.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_26_2_rtm/src/ new in nss 3.26.2 new functionality no new functionality is introduced in this release.

NSS 3.26 release notes
introduction the network security services (nss) team has released nss 3.26, which is a minor release.
... nss 3.26 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_26_rtm/src/ new in nss 3.26 new functionality the selfserv test utility has been enhanced to support alpn (http/1.1) and 0-rtt added support for the system-wide crypto policy available on fedora linux, see http://fedoraproject.org/wiki/changes/cryptopolicy introduced build flag nss_disable_libpkix which allows compilation of nss without the libpkix library notable changes in nss 3.26 the following ca certificate was added cn = isrg root x1 sha-256 fingerprint: 96:bc:ec:0...

NSS 3.27.1 release notes
introduction network security services (nss) 3.27.1 is a patch release for nss 3.27.
... nss 3.27.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_27_1_rtm/src/ new in nss 3.27.1 new functionality no new functionality is introduced in this release.

NSS 3.27.2 Release Notes
introduction network security services (nss) 3.27.2 is a patch release for nss 3.27.
... nss 3.27.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_27_2_rtm/src/ new in nss 3.27.2 new functionality no new functionality is introduced in this release.

NSS 3.27 release notes
introduction the network security services (nss) team has released nss 3.27, which is a minor release.
... nss 3.27 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_27_rtm/src/ new in nss 3.27 new functionality allow custom named group priorities for tls key exchange handshake (ssl_namedgroupconfig).

NSS 3.28.2 release notes
introduction network security services (nss) 3.28.2 is a patch release for nss 3.28.
... nss 3.28.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_28_2_rtm/src/ incorrect version number note the version numbers embedded in the nss 3.28.2 are wrong (it reports itself as version 3.28.1).

NSS 3.28.3 release notes
introduction network security services (nss) 3.28.3 is a patch release for nss 3.28.
... nss 3.28.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/security/nss/releases/nss_3_28_3_rtm/src/ new in nss 3.28.3 new functionality no new functionality is introduced in this release.

NSS 3.28.4 release notes
introduction network security services (nss) 3.28.4 is a security patch release for nss 3.28.
... nss 3.28.4 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_28_4_rtm/src/ new in nss 3.28.4 no new functionality is introduced in this release.

NSS 3.28.5 release notes
introduction network security services (nss) 3.28.5 is a patch release for nss 3.28.
... nss 3.28.5 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_28_5_rtm/src/ new in nss 3.28.5 no new functionality is introduced in this release.

NSS 3.28 release notes
introduction the network security services (nss) team has released nss 3.28, which is a minor release.
... nss 3.28 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_28_rtm/src/ new in nss 3.28 new functionality nss includes support for tls 1.3 draft -18.

NSS 3.29.1 release notes
introduction network security services (nss) 3.29.1 is a patch release for nss 3.29.
... nss 3.29.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/security/nss/releases/nss_3_29_1_rtm/src/ new in nss 3.29.1 new functionality no new functionality is introduced in this release.

NSS 3.29.2 release notes
introduction network security services (nss) 3.29.2 is a patch release for nss 3.29.
... nss 3.29.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/security/nss/releases/nss_3_29_2_rtm/src/ new in nss 3.29.2 new functionality no new functionality is introduced in this release.

NSS 3.29.3 release notes
introduction network security services (nss) 3.29.3 is a patch release for nss 3.29.
... nss 3.29.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_29_3_rtm/src/ new in nss 3.29.3 no new functionality is introduced in this release.

NSS 3.29.5 release notes
introduction network security services (nss) 3.29.5 is a security patch release for nss 3.29.
... nss 3.29.5 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_29_5_rtm/src/ new in nss 3.29.5 no new functionality is introduced in this release.

NSS 3.29 release notes
introduction the network security services (nss) team has released nss 3.29, which is a minor release.
... nss 3.29 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_29_rtm/src/ notable changes in nss 3.29 fixed a nss 3.28 regression in the signature scheme flexibility that causes connectivity issues between ios 8 clients and nss servers with ecdsa certificates (bug1334114).

NSS 3.30.1 release notes
introduction network security services (nss) 3.30.1 is a security patch release for nss 3.30.
... nss 3.30.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_30_1_rtm/src/ new in nss 3.30.1 no new functionality is introduced in this release.

NSS 3.30.2 release notes
introduction network security services (nss) 3.30.2 is a patch release for nss 3.30.
... nss 3.30.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_30_2_rtm/src/ new in nss 3.30.2 no new functionality is introduced in this release.

NSS 3.30 release notes
introduction the network security services (nss) team has released nss 3.30, which is a minor release.
... nss 3.30 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_30_rtm/src/ new in nss 3.30 new functionality in the pkcs#11 root ca module (nssckbi), cas with positive trust are marked with a new boolean attribute, cka_nss_mozilla_ca_policy, set to true.

NSS 3.31.1 release notes
introduction the network security services (nss) team has released nss 3.31.1, which is a patch release for nss 3.31.
... nss 3.31.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_31_1_rtm/src/ new in nss 3.31.1 no new functionality is introduced in this release.

NSS 3.31 release notes
introduction the network security services (nss) team has released nss 3.31, which is a minor release.
... nss 3.31 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_31_rtm/src/ new in nss 3.31 new functionality allow certificates to be specified by rfc7512 pkcs#11 uris.

NSS 3.32 release notes
introduction the network security services (nss) team has released nss 3.32, which is a minor release.
... nss 3.32 source distributions are available on ftp.mozilla.org, for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_32_rtm/src/ notable changes in nss 3.32 various minor improvements and correctness fixes.

NSS 3.33 release notes
introduction the network security services (nss) team has released nss 3.33, which is a minor release.
... nss 3.33 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_33_rtm/src/ notable changes in nss 3.33 tls compression is no longer supported.

NSS 3.34.1 release notes
introduction the network security services (nss) team has released nss 3.34.1, which is a minor release.
... nss 3.34.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_34_1_rtm/src/ notable changes in nss 3.34.1 the following ca certificate was re-added.

NSS 3.34 release notes
introduction the network security services (nss) team has released nss 3.34, which is a minor release.
... nss 3.34 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_34_rtm/src/ notable changes in nss 3.34 the following ca certificates were added: cn = gdca trustauth r5 root sha-256 fingerprint: bf:ff:8f:d0:44:33:48:7d:6a:8a:a6:0c:1a:29:76:7a:9f:c2:bb:b0:5e:42:0f:71:3a:13:b9:92:89:1d:38:93 trust flags: websites cn = ssl.com root certification authority rsa sha-256 fingerprint: 85:66:6a:56:2e:e0:be:5c:e9:25:c1:d8:89:0a:6f:76:a8:7e:c1:6d:4d:7d:5f:29:ea:74:19:cf:20:12:3b:69 trust flags: websites, email ...

NSS 3.36.1 release notes
introduction network security services (nss) 3.36.1 is a patch release for nss 3.36.
... nss 3.36.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/security/nss/releases/nss_3_36_1_rtm/src/ new in nss 3.xx new functionality no new functionality is introduced in this release.

NSS 3.36.2 release notes
introduction network security services (nss) 3.36.2 is a patch release for nss 3.36.
... nss 3.36.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/security/nss/releases/nss_3_36_2_rtm/src/ new in nss 3.36.2 new functionality no new functionality is introduced in this release.

NSS 3.36.4 release notes
introduction network security services (nss) 3.36.4 is a patch release for nss 3.36.
... nss 3.36.4 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/security/nss/releases/nss_3_36_4_rtm/src/ new in nss 3.36.4 new functionality no new functionality is introduced in this release.

NSS 3.36.5 release notes
introduction network security services (nss) 3.36.5 is a patch release for nss 3.36.
... nss 3.36.5 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_36_5_rtm/src/ new in nss 3.36.5 new functionality no new functionality is introduced in this release.

NSS 3.36.6 release notes
introduction network security services (nss) 3.36.6 is a patch release for nss 3.36.
... nss 3.36.6 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_36_6_rtm/src/ new in nss 3.36.6 new functionality no new functionality is introduced in this release.

NSS 3.36.7 release notes
introduction network security services (nss) 3.36.7 is a patch release for nss 3.36.
... nss 3.36.7 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_36_7_rtm/src/ other releases are available in nss releases.

NSS 3.36.8 release notes
introduction network security services (nss) 3.36.8 is a patch release for nss 3.36.
... nss 3.36.8 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_36_8_rtm/src/ other releases are available in nss releases.

NSS 3.36 release notes
introduction the nss team has released network security services (nss) 3.36, which is a minor release.
... nss 3.36 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_36_rtm/src/ (make a link) new in nss 3.36 new functionality experimental apis for tls session cache handling.

NSS 3.37.1 release notes
introduction network security services (nss) 3.37.1 is a patch release for nss 3.37.
... nss 3.37.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/security/nss/releases/nss_3_37_1_rtm/src/ new in nss 3.37.1 new functionality no new functionality is introduced in this release.

NSS 3.37.3 release notes
introduction network security services (nss) 3.37.3 is a patch release for nss 3.37.
... nss 3.37.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/security/nss/releases/nss_3_37_3_rtm/src/ new in nss 3.37.3 new functionality no new functionality is introduced in this release.

NSS 3.37 release notes
introduction the nss team has released network security services (nss) 3.37, which is a minor release.
... nss 3.37 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_37_rtm/src/ notable changes in nss 3.37 the tls 1.3 implementation was updated to draft 28.

NSS 3.39 release notes
introduction the nss team has released network security services (nss) 3.39, which is a minor release.
... nss 3.39 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_39_rtm/src/ new in nss 3.39 new functionality the tstclnt and selfserv utilities added support for configuring the enabled tls signature schemes using the -j parameter.

NSS 3.40.1 release notes
introduction the nss team has released network security services (nss) 3.40.1, which is a patch release for nss 3.40 distribution information the hg tag is nss_3_40_1_rtm.
... nss 3.40 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_40_1_rtm/src/ new in nss 3.40.1 new functionality no new functionality is introduced in this release.

NSS 3.40 release notes
introduction the nss team has released network security services (nss) 3.40, which is a minor release.
... nss 3.40 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_40_rtm/src/ new in nss 3.40 new functionality the draft-00 version of encrypted sni support is implemented tstclnt now takes -n option to specify encrypted sni key new functions none notable changes in nss 3.40 the mozilla::pkix library has been ported from mozilla psm to nss.

NSS 3.41.1 release notes
introduction network security services (nss) 3.41.1 is a patch release for nss 3.41.
... nss 3.41.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_41_1_rtm/src/ other releases are available in nss releases.

NSS 3.41 release notes
introduction the nss team has released network security services (nss) 3.41 on 7 december 2018, which is a minor release.
... nss 3.41 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_41_rtm/src/ new in nss 3.41 new functionality bug 1252891 - implemented eku handling for ipsec ike.

NSS 3.42.1 release notes
introduction the nss team has released network security services (nss) 3.42.1 on 31 january 2019, which is a patch release.
... nss 3.42.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_42_1_rtm/src/ other releases are available in nss releases.

NSS 3.42 release notes
introduction the nss team has released network security services (nss) 3.42 on 25 january 2019, which is a minor release.
... nss 3.42 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_42_rtm/src/ other releases are available in nss releases.

NSS 3.43 release notes
introduction the nss team has released network security services (nss) 3.43 on 16 march 2019, which is a minor release.
... nss 3.43 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_43_rtm/src/ other releases are available in nss releases.

NSS 3.44.1 release notes
introduction network security services (nss) 3.44.1 is a patch release for nss 3.44.
... nss 3.44.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_44_1_rtm/src/ other releases are available in nss releases.

NSS 3.44.2 release notes
introduction network security services (nss) 3.44.2 is a patch release for nss 3.44.
... nss 3.44.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_44_2_rtm/src/ other releases are available in nss releases.

NSS 3.44.3 release notes
introduction network security services (nss) 3.44.3 is a patch release for nss 3.44.
... nss 3.44.3 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_44_3_rtm/src/ other releases are available in nss releases.

NSS 3.44 release notes
introduction the nss team has released network security services (nss) 3.44 on 10 may 2019, which is a minor release.
... nss 3.44 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_44_rtm/src/ other releases are available in nss releases.

NSS 3.45 release notes
introduction the nss team has released network security services (nss) 3.45 on 5 july 2019, which is a minor release.
... nss 3.45 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_45_rtm/src/ other releases are available in nss releases.

NSS 3.46.1 release notes
introduction network security services (nss) 3.46.1 is a patch release for nss 3.46.
... nss 3.46.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_46_1_rtm/src/ other releases are available in nss releases.

NSS 3.47.1 release notes
introduction network security services (nss) 3.47.1 is a patch release for nss 3.47.
... nss 3.47.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_47_1_rtm/src/ other releases are available in nss releases.

NSS 3.47 release notes
introduction the nss team has released network security services (nss) 3.47 on 18 october 2019, which is a minor release.
... nss 3.47 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_47_rtm/src/ other releases are available in nss releases.

NSS 3.48.1 release notes
introduction network security services (nss) 3.48.1 is a patch release for nss 3.48.
... nss 3.48.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_48_1_rtm/src/ other releases are available in nss releases.

NSS 3.48 release notes
introduction the nss team has released network security services (nss) 3.48 on 5 december 2019, which is a minor release.
... nss 3.48 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_48_rtm/src/ other releases are available in nss releases.

NSS 3.49.1 release notes
introduction network security services (nss) 3.49.1 is a patch release for nss 3.49.
... nss 3.49.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_49_1_rtm/src/ other releases are available in nss releases.

NSS 3.49.2 release notes
introduction network security services (nss) 3.49.2 is a patch release for nss 3.49.
... nss 3.49.2 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_49_2_rtm/src/ other releases are available in nss releases.

NSS 3.50 release notes
introduction the nss team has released network security services (nss) 3.50 on 7 february 2020, which is a minor release.
... nss 3.50 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_50_rtm/src/ other releases are available in nss releases.

NSS 3.51.1 release notes
introduction the nss team has released network security services (nss) 3.51.1 on 3 april 2020.
... nss 3.51.1 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_51_1_rtm/src/ other releases are available in nss releases.

NSS 3.52 release notes
introduction the nss team has released network security services (nss) 3.52 on 1 may 2020.
... nss 3.52 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_52_rtm/src/ other releases are available in nss releases.

NSS 3.54 release notes
introduction the nss team has released network security services (nss) 3.54 on 26 june 2020, which is a minor release.
... nss 3.54 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_54_rtm/src/ other releases are available in nss releases.

NSS 3.56 release notes
introduction the nss team has released network security services (nss) 3.56 on 21 august 2020, which is a minor release.
... nss 3.56 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_56_rtm/src/ other releases are available in nss releases.

NSS sources building testing
getting the source code of network security services (nss), how to build it, and how to run its test suite.
...the subdirectories dbm, security/dbm, security/coreconf, security/nss were part of the nss sources.) the nss directory contains the following important subdirectories: nss/coreconf contains knowledge for cross platform building.

PKCS11 module installation
pkcs #11 modules are external modules which add to firefox support for smartcard readers, biometric security devices, and external certificate stores.
...choose "advanced" > "encryption" > "security devices" choose "load" enter a name for the security module, such as "my client database".

FC_InitToken
syntax ck_rv fc_inittoken( ck_slot_id slotid, ck_char_ptr ppin, ck_ulong ulpinlen, ck_char_ptr plabel ); parameters fc_inittoken() has the following parameters: slotid the id of the token's slot ppin the password of the security officer (so) ulpinlen the length in bytes of the so password plabel points to the label of the token, which must be padded with spaces to 32 bytes and not be null-terminated description fc_inittoken() initializes a brand new token or re-initializes a token that was initialized before.
... the "reset password" button of the mozilla application suite and seamonkey (in preferences->privacy & security->master passwords) calls fc_inittoken().

NSC_InitToken
syntax ck_rv nsc_inittoken( ck_slot_id slotid, ck_char_ptr ppin, ck_ulong ulpinlen, ck_char_ptr plabel ); parameters nsc_inittoken() has the following parameters: slotid the id of the token's slot ppin the password of the security officer (so) ulpinlen the length in bytes of the so password plabel points to the label of the token, which must be padded with spaces to 32 bytes and not be null-terminated description nsc_inittoken() initializes a brand new token or re-initializes a token that was initialized before.
... the "reset password" button of the mozilla application suite and seamonkey (in preferences->privacy & security->master passwords) calls nsc_inittoken().

NSS_Initialize
secmodname [in] name of the security module database, usually "secmod.db".
...nss_init_nomoddb - don't open the security module db, just initialize the pkcs #11 module.

NSS tools : vfyserv
name vfyserv — tbd synopsis vfyserv description the vfyserv tool verifies a certificate chain options additional resources for information about nss and other tools related to nss (like jss), check out the nss project wiki at [1]http://www.mozilla.org/projects/security/pki/nss/.
...http://www.mozilla.org/projects/security/pki/nss/ ...

OLD SSL Reference
ssl, pkcs #11, and the default security databases setting up the certificate and key databases setting up the ca db and certificate setting up the server db and certificate setting up the client db and certificate verifying the server and client certificates building nss programs chapter 3 selected ssl types and structures this chap...
... ssl_authcertificate ssl_badcerthook ssl_getclientauthdatahook nss_getclientauthdata ssl_handshakecallback ssl communication functions ssl_invalidatesession ssl_datapending ssl_securitystatus ssl_getsessionid ssl_setsockpeerid ssl functions used by callbacks ssl_peercertificate ssl_revealurl ssl_revealpinarg ssl handshake functions ssl_forcehandshake ssl_rehandshake ...

Rhino FAQ
for example, creating an array of seven ints can be done with the code var intarray = java.lang.reflect.array.newinstance(java.lang.integer.type, 7); when i try to execute a script i get the exception required security context missing.
... you've likely missed placing the security.properties file in your class path at org.mozilla.javascript.resources.

Rhino shell
note if the shell is invoked with the system property rhino.use_java_policy_security set to true and with a security manager installed, the shell restricts scripts permissions based on their urls according to java policy settings.
... this is available only if jvm implements java2 security model.

Shumway
the user has adobe flash player disabled (or set to "click-to-enable") for performance or security reasons.
...users who disable flash because of security or performance concerns can still see content through shumway because it cannot be forced to behave worse than javascript (and webgl, etc.) allows.

SpiderMonkey compartments
this invariant is very useful for security purposes.
... ​see also js_newcompartmentandglobalobject() js_entercrosscompartmentcall() js_leavecrosscompartmentcall() jsautocompartment invariants spidermonkey internals: thread safety andreas gal blog post bobby holley blog post sfink/contexts_and_compartments xpconnect security membranes ...

Hacking Tips
note 1: when you are doing this from "file:///" you will probably get a security warning in the console.
...the other being disable this check in "about:config", by temporarily switching "security.fileuri.strict_origin_policy" to false note 2: the files can be very big and take a long time to load in the browser.

Garbage collection
this allows compartments to be used for security checks: objects in the same compartment have the same access requirements, so no checks are needed, but checks may be done when traversing cross-compartment wrappers.
...unlike compartments, zones have no special security properties.

JSCheckAccessOp
jscheckaccessop implementations generally work by using jsdbgapi functions such as js_frameiterator and js_stackframeprincipals to obtain the principals of the code attempting the checked operation, then examining those principals and comparing them with the system's security policy.
... the nature of principals and the security policy are entirely up to the application.

JSObjectPrincipalsFinder
jsobjectprincipalsfinder is the type of a security callback that can be configured using js_setobjectprincipalsfinderjsapi 1.8 and earlier or js_setruntimesecuritycallbacksadded in spidermonkey 1.8.1.
...since it is very common for jsobjectops.checkaccess or jsclass.checkaccess hooks to call these functions, the object principals finder callback is a key security feature.

JSPrincipals
define security information for an object or script.
...some examples of security-enhanced api call are js_compilescriptforprincipals, js_compilefunctionforprincipals, and js_evaluatescriptforprincipals.

JS_CompileUTF8FileHandle
principals jsprincipals * (only in js_compileutf8filehandleforprincipals) the security principals to associate with the new script, or null.
...js_compileutf8filehandleforprincipals is a version of the function for use with spidermonkey's security features.

A Web PKI x509 certificate primer
this type of hierarchy allows for a relatively simple long term root to be distributed to clients, and some flexibility on the intermediate cert so that you can change parameters based on best practices and security research.
...altname =dns:www.example.com extendedkeyusage =serverauth authorityinfoaccess = ocsp;uri:http://ocsp.example.com:80/ intermediate signs the csr (using sha256) and appends the extensions described in the file "openssl x509 -req -sha256 -days 1096 -in example.csr -cakey intkey.pem -ca int.pem -set_serial $some_large_integer -out www.example.com.pem -extfile openssl.int.cnf" security notes there are several organizations that provide recommendations regarding the security parameters for key/hash sizes given current computational power.

XML Extras
xmlhttprequest.open("ahost") ok file:// documents can access http:// documents but you need to enable universalbrowserread privilege in your scripts - see the javascript security: signed scripts document for more details.
...additionally, "foo.com:80" and "foo.com:313" are considered different hosts for security purposes.

XPConnect wrappers
this document is a high-level overview of xpconnect wrapper objects (for the more technical description see xpconnect security membranes).
... security wrappers exposed to chrome to learn about security wrappers, see the article on script security in gecko.

nsIBadCertListener2
security/manager/ssl/public/nsibadcertlistener2.idlscriptable this interface is used to is report a broken ssl status.
...this object usually supports nsisslsocketcontrol, nsitransportsecurityinfo, nsiidentityinfo, nsisslstatusprovider, nsiclientauthuserdecision and possibly other interfaces.

nsIChannel
used by the security manager to grant or deny privileges to mobile code loaded from this channel.
... securityinfo nsisupports transport-level security information (if any, else null) corresponding to the channel, normally presented through the interfaces nsitransportsecurityinfo and nsisslstatusprovider read only.

nsICryptoHMAC
these values map onto the values defined in mozilla/security/nss/lib/softoken/pkcs11t.h and are switched to ckm_*_hmac constant.
...to create the key object use for instance: var keyobject = components.classes["@mozilla.org/security/keyobjectfactory;1"] .getservice(components.interfaces.nsikeyobjectfactory) .keyfromstring(components.interfaces.nsikeyobject.hmac, rawkeydata); exceptions thrown ns_error_invalid_arg if an unsupported algorithm type is passed.

nsIDispatchSupport
gethostingflags() return the activex security and hosting flags.
... see nsiactivexsecuritypolicy for list of flags.

nsIDocShell
securityui nsisecurebrowserui the securebrowserui object for this docshell.
... aowner owner (security principal) aflags a combination of the internal load flags as detailed in the constants secion.

nsILocalFile
for security reasons, this cannot contain '..' or cannot start with a directory separator '/'.
...for security reasons, this cannot contain '..' or cannot start with a directory separator '/' .

nsIPromptService
the implementation may interpret this loosely, as the intent is to ensure that the user does not click through a security dialog too quickly.
...a delay can be useful not only to give the user more time to think before acting, but also as a countermeasure against malicious web sites that intentionally create a race condition whereby the user intends to click or type a key responding, for example, to the web site's prompt but the security dialog pops up unexpectedly and its button is unintentionally activated.

nsIProtocolHandler
uri_inherits_security_context 1<<4 uris for this protocol have no inherent security context, so documents loaded using this protocol should inherit the security context of the document that loads them.
...keep in mind that the decision of what constitutes an automatic load is made externally, by the caller of nsiscriptsecuritymanager.checkloaduri().

nsIPushSubscription
example const { classes: cc, interfaces: ci, utils: cu } = components; const scriptsecuritymanager = cc["@mozilla.org/scriptsecuritymanager;1"] .getservice(ci.nsiscriptsecuritymanager); const pushservice = cc["@mozilla.org/push/service;1"] .getservice(ci.nsipushservice); function sendsubscriptiontoserver(subscription) { let request = cc["@mozilla.org/xmlextras/xmlhttprequest;1"] .createinstance(ci.nsixmlhttpreque...
... key: string.fromcharcode.apply(null, btoa(subscription.getkey("p256dh"))), secret: string.fromcharcode.apply(null, btoa(subscription.getkey("auth"))), })); } pushservice.subscribe( "chrome://my-module/push", scriptsecuritymanager.getsystemprincipal(), (code, subscription) => { if (!components.issuccesscode(code)) { cu.reporterror("error creating subscription: " + code); } else { sendsubscriptiontoserver(subscription); } } ); see also nsipushservice nsipushmessage pushsubscription ...

nsIWindowWatcher
make sure you understand the security implications of this before using this method!
... note: this method may examine the javascript context stack for purposes of determining the security context to use for the search for a given window named aname.

WebIDL bindings
returning null from getparentobject is allowed in situations in which it's ok to associate the resulting object with a random global object for security purposes; this is not usually ok for things that are exposed to web content.
...they will get cross-compartment wrappers that make touching them from chrome code not be an immediate security bug, but otherwise they can have quite surprising behavior if the page is trying to be malicious.

Plugins
important: plugins are a legacy technology that are a security and performance problem for firefox (and other browser) users.
... plugin blocking by domain in order to improve security and performance for firefox users, firefox maintains a list of sites that are not able to use plugins.

Browser Console - Firefox Developer Tools
so it logs the same sorts of information as the web console - network requests, javascript, css, and security errors and warnings, and messages explicitly logged by javascript code.
... browser console logging the browser console logs the same sorts of messages as the web console: http requests warnings and errors (including javascript, css, security warnings and errors, and messages explicitly logged by javascript code using the console api).

CanvasRenderingContext2D.getImageData() - Web APIs
securityerror the canvas contains or may contain pixels which were loaded from an origin other than the one from which the document itself was loaded.
... to avoid securityerror being thrown in this situation, configure cors to allow the source image to be used in this way.

DOMException - Web APIs
securityerror the operation is insecure.
... (legacy code value: 18 and legacy constant name: security_err) networkerror a network error occurred.

Document.cookie - Web APIs
kie "reader" exists (es6)') } example #6: check that a cookie has a specific value //es5 if (document.cookie.split(';').some(function(item) { return item.indexof('reader=1') >= 0 })) { console.log('the cookie "reader" has "1" for value') } //es2016 if (document.cookie.split(';').some((item) => item.includes('reader=1'))) { console.log('the cookie "reader" has "1" for value') } security it is important to note that the path attribute does not protect against unauthorized reading of the cookie from a different path.
...read more about cookies and security.

FileException - Web APIs
security_err 2 access to the files were denied for one of the following reasons: the files might be unsafe for access within a web application.
... other unspecified security error code or situations.

FileSystemDirectoryEntry.getDirectory() - Web APIs
absolute paths may not be able to be used, for security reasons.
... fileerror.security_err the request to access the directory was denied for security reasons.

FileSystemDirectoryEntry - Web APIs
yesremoverecursively deprecatednon-standardchrome full support 8edge full support 79firefox no support 50 — 52notes no support 50 — 52notes notes while the removerecursively() method existed, it immediately called the error callback with ns_error_dom_security_err.ie no support noopera no support nosafari no support nowebview android full support ≤37chrome android full support 18firefox android no support ...
... 50 — 52notes no support 50 — 52notes notes while the removerecursively() method existed, it immediately called the error callback with ns_error_dom_security_err.opera android no support nosafari ios no support nosamsung internet android full support yeslegend full support full support no support no supportexperimental.

FileSystemFileEntry.createWriter() - Web APIs
samsung internetcreatewriter deprecatednon-standardchrome full support 8edge full support 79firefox no support 50 — 52notes no support 50 — 52notes notes while the createwriter() method existed, it immediately called errorcallback with the ns_error_dom_security_err error.ie no support noopera no support nosafari no support nowebview android full support ≤37chrome android full support 18firefox android no support ...
... 50 — 52notes no support 50 — 52notes notes while the createwriter() method existed, it immediately called errorcallback with the ns_error_dom_security_err error.opera android no support nosafari ios no support nosamsung internet android full support yeslegend full support full support no support no supportnon-standard.

FileSystemFileEntry - Web APIs
r prefix: webkitcreatewriter deprecatednon-standardchrome full support 8edge full support 79firefox no support 50 — 52notes no support 50 — 52notes notes while the createwriter() method existed, it immediately called errorcallback with the ns_error_dom_security_err error.ie no support noopera no support nosafari no support nowebview android full support ≤37chrome android full support 18firefox android no support ...
... 50 — 52notes no support 50 — 52notes notes while the createwriter() method existed, it immediately called errorcallback with the ns_error_dom_security_err error.opera android no support nosafari ios no support nosamsung internet android full support yesfilechrome full support 8edge full support 79firefox full support 50ie no support noopera no support nosafari full support ...

FileSystemFlags.create - Web APIs
13prefixed prefixed implemented with the vendor prefix: webkitedge full support ≤79prefixed full support ≤79prefixed prefixed implemented with the vendor prefix: webkitfirefox partial support 50notes partial support 50notes notes for security reasons, firefox does not support creating files.
... yesprefixed prefixed implemented with the vendor prefix: webkitchrome android full support yesprefixed full support yesprefixed prefixed implemented with the vendor prefix: webkitfirefox android partial support 50notes partial support 50notes notes for security reasons, firefox does not support creating files.

FileSystemFlags.exclusive - Web APIs
13prefixed prefixed implemented with the vendor prefix: webkitedge full support ≤79prefixed full support ≤79prefixed prefixed implemented with the vendor prefix: webkitfirefox partial support 50notes partial support 50notes notes for security reasons, firefox does not support creating files.
... yesprefixed prefixed implemented with the vendor prefix: webkitchrome android full support yesprefixed full support yesprefixed prefixed implemented with the vendor prefix: webkitfirefox android partial support 50notes partial support 50notes notes for security reasons, firefox does not support creating files.

LocalFileSystem - Web APIs
returns void exceptions this method can raise an fileerror with the following code: exception description security_error the application does not have permission to access the file system interface.
... security_err the application does not have permission to access the file system interface.

LocalFileSystemSync - Web APIs
exceptions this method can raise an fileexception with the following code: exception description security_error the application does not have permission to access the file system interface.
... security_err the application does not have permission to access the file system interface.

MediaRecorder.start() - Web APIs
securityerror the mediastream is configured to disallow recording.
...this exception may also be delivered as an error event if the security options for the source media change after recording begins.

Navigator.registerProtocolHandler() - Web APIs
exceptions securityerror the user agent blocked the registration.
... permitted schemes for security reasons, registerprotocolhandler() restricts which schemes can be registered.

Node.nodePrincipal - Web APIs
the node.nodeprincipal read-only property returns the nsiprincipal object representing current security context of the node.
... syntax principalobj = node.nodeprincipal value an nsiprincipal object representing the node's security context.

performance.now() - Web APIs
it's important to keep in mind that to mitigate potential security threats such as spectre, browsers typically round the returned value by some amount in order to be less predictable.
... the precision of the returned value is subject to change if/when the security concerns are alleviated through other means.

RTCConfiguration.certificates - Web APIs
the rtcconfiguration dictionary's optional certificates property is an array of rtccertificate objects providing the security certificates available for use when authenticating duing the connection process.
...]; let certificates = rtcconfiguration.certificates; value an array of rtccertificate objects, each specifying one security certificate available for use when connecting to a remote peer.

RTCConfiguration.iceTransportPolicy - Web APIs
the agent—or the browser itself—may still perform some form of ip filtering on the incoming candidates for reasons including privacy and security, as well as to simply limit the number of candidates.
... this can be used to prevent the remote endpoint from receiving the user's ip addresses, which may be important in some security situations.

RTCIceCandidate.address - Web APIs
security notes it's important to note here that although webrtc does not require the two peers on an rtcpeerconnection to know one another's true ip addresses, the address property on rtcicecandidate can expose more information about the source of the remote peer than the user expects.
... applications being built with user privacy and security in mind can choose to limit the permitted candidates to relay candidates only.

RTCIceCandidate.relatedPort - Web APIs
the related address (relatedaddress) and port are not used at all by ice itself; they are provided for analysis and diagnostic purposes only, and their inclusion may be blocked by security systems, so do not rely on them having non-null values.
...they may in fact be omitted for security reasons, but if present can be a useful tool during debugging.

Using Service Workers - Web APIs
you’ll also need to serve your code via https — service workers are restricted to running across https for security reasons.
...see security considerations ...

SpeechRecognitionError.error - Web APIs
not-allowed the user agent disallowed any speech input from occurring for reasons of security, privacy or user preference.
... service-not-allowed the user agent disallowed the requested speech recognition service, either because the user agent doesn't support it or because of reasons of security, privacy or user preference.

SpeechRecognitionErrorEvent.error - Web APIs
not-allowed the user agent disallowed any speech input from occurring for reasons of security, privacy or user preference.
... service-not-allowed the user agent disallowed the requested speech recognition service, either because the user agent doesn't support it or because of reasons of security, privacy or user preference.

SubtleCrypto.exportKey() - Web APIs
*/ window.crypto.subtle.generatekey( { name: "rsa-pss", // consider using a 4096-bit key for systems that require long-term security moduluslength: 2048, publicexponent: new uint8array([1, 0, 1]), hash: "sha-256", }, true, ["sign", "verify"] ).then((keypair) => { const exportbutton = document.queryselector(".pkcs8"); exportbutton.addeventlistener("click", () => { exportcryptokey(keypair.privatekey); }); }); subjectpublickeyinfo export this example exports an rsa public encryption key as a pem-enc...
...*/ window.crypto.subtle.generatekey( { name: "rsa-oaep", // consider using a 4096-bit key for systems that require long-term security moduluslength: 2048, publicexponent: new uint8array([1, 0, 1]), hash: "sha-256", }, true, ["encrypt", "decrypt"] ).then((keypair) => { const exportbutton = document.queryselector(".spki"); exportbutton.addeventlistener("click", () => { exportcryptokey(keypair.publickey); }); }); json web key import this code exports an ecdsa private signing key as a json web key obj...

SubtleCrypto.wrapKey() - Web APIs
*/ window.crypto.subtle.generatekey( { name: "rsa-pss", // consider using a 4096-bit key for systems that require long-term security moduluslength: 2048, publicexponent: new uint8array([1, 0, 1]), hash: "sha-256", }, true, ["sign", "verify"] ) .then((keypair) => { return wrapcryptokey(keypair.privatekey); }) .then((wrappedkey) => { console.log(wrappedkey); }); subjectpublickeyinfo wrap this example wraps an rsa public encryption key.
...*/ window.crypto.subtle.generatekey( { name: "rsa-oaep", // consider using a 4096-bit key for systems that require long-term security moduluslength: 2048, publicexponent: new uint8array([1, 0, 1]), hash: "sha-256", }, true, ["encrypt", "decrypt"] ) .then((keypair) => { return wrapcryptokey(keypair.publickey); }) .then((wrappedkey) => { console.log(wrappedkey); }); json web key import this code wraps an ecdsa private signing key.

Signaling and video calling - Web APIs
function handlegetusermediaerror(e) { switch(e.name) { case "notfounderror": alert("unable to open your call because no camera and/or microphone" + "were found."); break; case "securityerror": case "permissiondeniederror": // do nothing; this is the same as the user canceling the call.
...in this example, we ignore "securityerror" and "permissiondeniederror" results, treating refusal to grant permission to use the media hardware the same as the user canceling the call.

Writing WebSocket client applications - Web APIs
the constructor will throw a securityerror if the destination doesn't allow access.
... security considerations websockets should not be used in a mixed content environment; that is, you shouldn't open a non-secure websocket connection from a page loaded using https or vice-versa.

Writing a WebSocket server in C# - Web APIs
system.text.regularexpressions.regex("^get").ismatch(data)) { const string eol = "\r\n"; // http/1.1 defines the sequence cr lf as the end-of-line marker byte[] response = encoding.utf8.getbytes("http/1.1 101 switching protocols" + eol + "connection: upgrade" + eol + "upgrade: websocket" + eol + "sec-websocket-accept: " + convert.tobase64string( system.security.cryptography.sha1.create().computehash( encoding.utf8.getbytes( new system.text.regularexpressions.regex("sec-websocket-key: (.*)").match(data).groups[1].value.trim() + "258eafa5-e914-47da-95ca-c5ab0dc85b11" ) ) ) + eol + eol); stream.write(response, 0, response.length); } decoding messages after a successful ...
...write the hash back as the value of "sec-websocket-accept" response header in an http response string swk = regex.match(s, "sec-websocket-key: (.*)").groups[1].value.trim(); string swka = swk + "258eafa5-e914-47da-95ca-c5ab0dc85b11"; byte[] swkasha1 = system.security.cryptography.sha1.create().computehash(encoding.utf8.getbytes(swka)); string swkasha1base64 = convert.tobase64string(swkasha1); // http/1.1 defines the sequence cr lf as the end-of-line marker byte[] response = encoding.utf8.getbytes( "http/1.1 101 switching protocols\r\n" + "connection: upgrade\r\n" + ...

Starting up and shutting down a WebXR session - Web APIs
permissions and security there are a number of security measures in place revolving around webxr.
... for more specifics about securing webxr actitvities and usage, see the article permissions and security for webxr.

WebXR Device API - Web APIs
performance and security webxr performance guide recommendations and tips to help you optimize the performance of your webxr application.
... permissions and security for webxr the webxr device api has several areas of security to contend with, from establishing feature-policy to ensuring the user intends to use the mixed reality presentation before activating it.

Attestation and Assertion - Web APIs
the pre-defined attestation formats in webauthn are: packed - a generic attestation format that is commonly used by devices whose sole function is as a webauthn authenticator, such as security keys.
... android safetynet -prior to android key attestation, the only option for android devices was to create android safetynet attestations fido u2f - security keys that implement the fido u2f standard use this format none - browsers may prompt users whether they want a site to be allowed to see their attestation data and/or may remove attestation data from the authenticator's response if the `attestation` parameter in `navigator.credentials.create()` is set to `none` the purpose of attestation is to cryptographically prove that a newly gene...

Web Crypto API - Web APIs
even assuming you use the basic cryptographic functions correctly, secure key management and overall security system design are extremely hard to get right, and are generally the domain of specialist security experts.
... errors in security system design and implementation can make the security of the system completely ineffective.

Window.getDefaultComputedStyle() - Web APIs
in particular, to avoid the so called css history leak security issue, browsers may expressly "lie" about the used value for a link and always return values as if a user has never visited the linked site, and/or limit the styles that can be applied using the :visited pseudo-selector.
... see http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/ and http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/ for details of the examples of how this is implemented.

Window.history - Web APIs
in particular, that article explains security features of the pushstate() and replacestate() methods that you should be aware of before using them.
... for security reasons the history object doesn't allow the non-privileged code to access the urls of other pages in the session history, but it does allow it to navigate the session history.

XDomainRequest - Web APIs
security the xdomainrequest is built to be secure in multiple ways.
... the origin's security protocol must match that of the requested url.

Using XMLHttpRequest - Web APIs
"&" : "?") + (new date()).gettime()); oreq.send(null); security firefox 3 note versions of firefox prior to firefox 3 allowed you to set the preference capability.policy.<policyname>.xmlhttprequest.open</policyname> to allaccess to give specific sites cross-site access.
... firefox 5 note versions of firefox prior to firefox 5 could use netscape.security.privilegemanager.enableprivilege("universalbrowserread"); to request cross-site access.

XMLHttpRequest.mozBackgroundRequest - Web APIs
if true, no load group is associated with the request, with security dialogs prevented from being shown to the user.
... in cases in where a security dialog (such as authentication or a bad certificate notification) would normally be shown, this request fails instead.

XRSystem: requestSession() - Web APIs
securityerror permission to enter the specified xr mode is denied.
... this can happen for a number of reasons, which are covered in more detail in permissions and security in webxr device api.

Cognitive accessibility - Accessibility
content; minimizing distractions, such as unnecessary content or advertisements; providing consistent web page layout and navigation; incorporating familiar elements, such as underlined links that are blue when not visited and purple when visited; dividing processes into logical, essential steps with progress indicators; making website authentication as easy as possible without compromising security; and making forms easy to complete, such as with clear error messages and simple error recovery.
... error suggestion provide suggested input to the user if an input error is automatically detected and suggestions for correction are known (unless doing so would jeopardize the security or purpose of the content).

Event reference
ceorientation orientationchange smartcard events icccardlockerror iccinfochange smartcard-insert smartcard-remove stkcommand stksessionend cardstatechange sms and ussd events delivered received sent ussdreceived frame events mozbrowserclose mozbrowsercontextmenu mozbrowsererror mozbrowsericonchange mozbrowserlocationchange mozbrowserloadend mozbrowserloadstart mozbrowseropenwindow mozbrowsersecuritychange mozbrowsershowmodalprompt mozbrowsertitlechange dom mutation events domattributenamechanged domattrmodified domcharacterdatamodified domcontentloaded domelementnamechanged domnodeinserted domnodeinsertedintodocument domnoderemoved domnoderemovedfromdocument domsubtreemodified touch events touchcancel touchend touchmove touchstart pointer events pointerover pointerenter pointerdown poi...
... mozbrowsersecuritychange firefox os browser api-specific sent when the ssl state changes within a browser <iframe>.

Audio and video manipulation - Developer guides
note: due to potential security issues if your video is on a different domain than your code, you'll need to enable cors (cross origin resource sharing) on your video server.
...telementbyid('edit'); var code = textarea.value; function setfilter() { eval(textarea.value); } reset.addeventlistener('click', function() { textarea.value = code; setfilter(); }); edit.addeventlistener('click', function() { textarea.focus(); }) textarea.addeventlistener('input', setfilter); window.addeventlistener('load', setfilter); note: unless you have cors enabled, to avoid security issues your video should be on the same domain as your code.

The HTML autocomplete attribute - HTML: Hypertext Markup Language
it is possible that the document or application provides its own autocomplete feature, or that security concerns require that the field's value not be automatically entered.
... "cc-csc" the security code for the payment instrument; on credit cards, this is the 3-digit verification number on the back of the card.

Allowing cross-origin use of images and canvas - HTML: Hypertext Markup Language
security and tainted canvases because the pixels in a canvas's bitmap can come from a variety of sources, including images or videos retrieved from other hosts, it's inevitable that security problems may arise.
... calling any of the following on a tainted canvas will result in an error: calling getimagedata() on the canvas's context calling toblob() on the <canvas> element itself calling todataurl() on the canvas attempting any of these when the canvas is tainted will cause a securityerror to be thrown.

<a>: The Anchor element - HTML: Hypertext Markup Language
c.arc(x, y, 10, 0, math.pi*2); c.closepath(); c.fill(); } } canvas.addeventlistener('mousemove', event => draw(event.offsetx, event.offsety) ); canvas.addeventlistener('mousedown', () => isdrawing = true); canvas.addeventlistener('mouseup', () => isdrawing = false); document.queryselector('a').addeventlistener('click', event => event.target.href = canvas.todataurl() ); result security and privacy <a> elements can have consequences for users’ security and privacy.
... see referer header: privacy and security concerns for information.

<input type="number"> - HTML: Hypertext Markup Language
note: it's crucial to remember that a user can tinker with your html behind the scenes, so your site must not use simple client-side validation for any security purposes.
... you must verify on the server side any transaction in which the provided value may have any security implications of any kind.

<input type="url"> - HTML: Hypertext Markup Language
note: it's also crucial to remember that a user can tinker with your html behind the scenes, so your site must not use this validation for any security purposes.
... you must verify the url on the server-side of any transaction in which the provided text may have any security implications of any kind.

MIME types (IANA media types) - HTTP
for security reasons, most browsers do not allow setting a custom default action for such resources, forcing the user to save it to disk to use it.
...(for example, safari will look at the file extension in the url if the sent mime type is unsuitable.) there are security concerns as some mime types represent executable content.

CORS errors - HTTP
if the cors configuration isn't setup correctly, the browser console will present an error like "cross-origin request blocked: the same origin policy disallows reading the remote resource at $somesite" indicating that the request was blocked due to violating the cors security rules.
... note: for security reasons, specifics about what went wrong with a cors request are not available to javascript code.

Cross-Origin Resource Sharing (CORS) - HTTP
for security reasons, browsers restrict cross-origin http requests initiated from scripts.
... cors failures result in errors, but for security reasons, specifics about the error are not available to javascript.

Using HTTP cookies - HTTP
please note the security issues in the security section below.
... security information should be stored in cookies with the understanding that all cookie values are visible to, and can be changed by, the end-user.

Feature Policy - HTTP
it is similar to content security policy but controls features instead of security behavior.
... the features include: layout-inducing animations legacy image formats oversized images synchronous scripts synchronous xmlhttprequest unoptimized images unsized media granular control over certain features the web provides functionality and apis that may have privacy or security risks if abused.

CSP: trusted-types - HTTP
the http content-security-policy (csp) trusted-types directive instructs user agents to restrict usage of known dom xss sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings.
... syntax content-security-policy: trusted-types; content-security-policy: trusted-types <policyname>; content-security-policy: trusted-types <policyname> <policyname> 'allow-duplicates'; <domstring> any string can be a trusted type policy name.

Feature-Policy - HTTP
when this policy is disabled, attempting to set document.domain will fail and cause a securityerror domexception to be be thrown.
...when this policy is enabled, the paymentrequest() constructor will throw a securityerror domexception.

Referer - HTTP
important: although this header has many innocent uses it can have undesirable consequences for user security and privacy.
... see referer header: privacy and security concerns for more information and mitigations.

X-XSS-Protection - HTTP
although these protections are largely unnecessary in modern browsers when sites implement a strong content-security-policy that disables the use of inline javascript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support csp.
... chrome has removed their xss auditor firefox have not, and will not implement x-xss-protection edge have retired their xss filter this means that if you do not need to support legacy browsers, it is recommended that you use content-security-policy without allowing unsafe-inline scripts instead.

Protocol upgrade mechanism - HTTP
this means that a typical request that includes upgrade would look something like: get /index.html http/1.1 host: www.example.com connection: upgrade upgrade: example/1, foo/2 other headers may be required depending on the requested protocol; for example, websocket upgrades allow additional headers to configure details about the websocket connection as well as to offer a degree of security in opening the connection.
...the value of the key is computed using an algorithm defined in the websocket specification, so this does not provide security.

A typical HTTP session - HTTP
example responses successful web page response: http/1.1 200 ok content-type: text/html; charset=utf-8 content-length: 55743 connection: keep-alive cache-control: s-maxage=300, public, max-age=0 content-language: en-us date: thu, 06 dec 2018 17:37:18 gmt etag: "2e77ad1dc6ab0b53a2996dfd4653c1c3" server: meinheld/0.6.1 strict-transport-security: max-age=63072000 x-content-type-options: nosniff x-frame-options: deny x-xss-protection: 1; mode=block vary: accept-encoding,cookie age: 7 <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>a simple webpage</title> </head> <body> <h1>simple html5 webpage</h1> <p>hello, world!</p> </body> </html> notification that the requested resource has permanently moved: http/...
...er to find the missing resource) notification that the requested resource doesn't exist: http/1.1 404 not found content-type: text/html; charset=utf-8 content-length: 38217 connection: keep-alive cache-control: no-cache, no-store, must-revalidate, max-age=0 content-language: en-us date: thu, 06 dec 2018 17:35:13 gmt expires: thu, 06 dec 2018 17:35:13 gmt server: meinheld/0.6.1 strict-transport-security: max-age=63072000 x-content-type-options: nosniff x-frame-options: deny x-xss-protection: 1; mode=block vary: accept-encoding,cookie x-cache: error from cloudfront <!doctype html...

JavaScript modules - JavaScript
with a file:// url), you'll run into cors errors due to javascript module security requirements.
...with a file:// url), you'll run into cors errors due to javascript module security requirements.

SharedArrayBuffer - JavaScript
apis which use sharedarraybuffer objects webglrenderingcontext.bufferdata() webglrenderingcontext.buffersubdata() webgl2renderingcontext.getbuffersubdata() security requirements shared memory and high-resolution timers were effectively disabled at the start of 2018 in light of spectre.
...with a few security measures, postmessage() will no longer throw for sharedarraybuffer objects and shared memory across threads will be available: as a baseline requirement, your document needs to be in a secure context.

Strict mode - JavaScript
(use call, apply, or bind to specify a particular this.) not only is automatic boxing a performance cost, but exposing the global object in browsers is a security hazard because the global object provides access to functionality that "secure" javascript environments must restrict.
...this is a security hazard because it breaks the ability to hide privileged values via function abstraction; it also precludes most optimizations.

How to make PWAs re-engageable using Notifications and Push - Progressive web apps (PWAs)
the technology is still at a very early stage — some working examples use the google cloud messaging platform, but are being rewritten to support vapid (voluntary application identification), which offers an extra layer of security for your app.
... from the server-side, the whole process has to be encrypted with public and private keys for security reasons — allowing everyone to send push messages unsecured using your app would be a terrible idea.

2015 MDN Fellowship Program - Archive of obsolete content
you may propose your own subject area (examples: virtual reality on the web, network security, css, etc.) or we will work with you to match you to the best subject based on your background and mozilla priorities.

Interacting with page scripts - Archive of obsolete content
for the sake of security, stability, and simplicity, this is usually what you want.

Content Scripts - Archive of obsolete content
first, it means that content scripts don't leak objects to web pages, potentially opening up security holes.

Private Properties - Archive of obsolete content
since xpcom allows the user to do virtually anything, security is very important.