Development Blog

Firebug Feature: Without Security Issues

Firebug 1.2+ in Firefox 3 provides no known path for malicious attack by rogue web sites.

Recently Wladimir Palant wrote a nice long post on Displaying web content in an extension – without security issues. In the lead paragraph describing security vulnerabilities he points to a really old posting about an old version of Firebug:

pdp discovered a similar issue in the Firebug extension that uses an HTML-based templating system and forgot to sanitize some input received from the webpage.

If you read through these ancient scrolls you will find Joe Hewitt’s post about the fix. But that fix was way back before version 1.0.5 was out, so none of that old stuff matters today.

While working on Firebug 1.2 we analyzed Firebug for security issues. As a result we reimplemented the Firebug console and command line and Blake Kaplan added new features in Firefox 3 to complete the process.

Firebug works with web pages in so many ways that we have to consider security issues all of the time.  We do take security seriously and we won’t release any version that has known holes.


One Response to “Firebug Feature: Without Security Issues”

  1. Antonin Hildebrand Says:

    I understand that security issues are very important topics for browser users and developers. But from the perspective of extension developer, new security manager in FF3 is a nightmare.

    In my opinion, common use case for Firebug is developing own sites, not reverse engineering unknown possibly malicious web pages. So default option with disabled firebug for all websites except for localhost would be sufficient for me. If user enables it for some malicious site, it is his problem. It’s like downloading and running unknown app from warez site. Keep it simple, stupid and let the user decide! Now in new Firebug, we are all paying big performance penalties in javascript evaluation (console panel) just for this 0.001% case?

    Ok, console panel is maybe not performance bottleneck. I give you another example. I’ve tried to implement Firebug extension which needs to evaluate some javascript in the context of running web page (repeatedly). After struggling with new FF3 security exceptions I’ve ended up using Firebug’s “reimplemented Firebug console and command line” how to communicate with running page and eval something inside it (I would call it “dirty hack” instead). The code is error prone, more than ugly and also pays big performance hit.

    Does anyone know better solution how to do this in FF3?

    It seems eval performance is show-stopper here.

    Don’t take this too offensive. I admire hard work you guys do on Firebug. Without Firebug the webdevelopers would be still in middle ages. Thank you.