You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

Component Security for Mozilla

We need your help to make Mozilla a more secure platform. See below for ways to get involved.

What is "Component Security"?

These pages are to describe the project of adding security to Mozilla components. We do not cover cryptographic security (SSL, certificates, S/MIME, etc.). For such topics, see Open Source PKI Projects.

Instead we talk about the ways of adding Java and JavaScript security to Mozilla components, mainly in terms of mobile code and the browser interfaces available to programs from those languages.

This is a difficult task in any event, but is particularly tricky for Mozilla. This is because Mozilla makes increasing use of Internet technologies to implement the browser itself. This has many benefits for modularity, cross-platform development, and encouraging development by a wider range of people. However, it also makes the process of ensuring browser security more challenging because it requires building a wall between the trusted browser and the untrusted content it displays.



The Mozilla Security Newsgroup is a good place to raise security-related issues.

Wish List & Future Projects

  • Buffer overflow problems - We will soon be launching a major initiative to wipe out this persistent source of security problems. Watch this space for tips on how to find potential buffer overflows in your code.
  • Signed XPI - We would like to add cryptographic signature verification to the XPInstall Engine.
  • Re-do the CheckLoadURI policy - it is not consistently applied in some areas, and it's too restrictive in others. We need to re-eavluate where this policy is needed and what restrictions to enforce.
  • Better Java compatibility - Currently, JavaScript cannot call privileged functions in signed applets. We need better integration between the Mozilla security manager and the Java plugin.

We need your help! If any of the projects above interests you, let us know. In addition, we need more community security review. Pick a Mozilla module you know and start looking for buffer overruns, misuse of privileges, and other security problems. Check back here soon for a list of things to look out for. Let's prove to the world that open source development leads to secure software!