Minimizing Web Browser Attack Surface

Posted on August 15, 2014

Most of us use a web browser every day, and often on computers that are also used for sensitive information (e.g. banking info, passwords/keys to servers at work, etc.). So what parts of a web browser might have exploitable code execution flaws? Most think of Flash, Java and perhaps Javascript. But there are many more, and the list is constantly changing with new versions of browsers software!

There’s no standard way of listing all features available in your web browser, but in Mozilla/Gecko/Firefox-based browsers one can find a list of optional features by searching for properties in about:config that contain .enable or .disable. Many of them relate to Javascript or Javascript features:


On a work/office computer I recommend disabling them, except javascript.enabled which can be enabled only on safe web sites that require javascript (possibly with a browser extension). There are of course many to choose from and I’ve only used Controle de Scripts, which unfortunately doesn’t work any longer with Firefox 29+.

There are also some features that are not related to Javascript that can be disabled:

media.autoplay.enabled     (autoplay of <video> and <audio> tags)
media.*.enabled            (enables/disables individual codecs etc.)

Disabling downloadable fonts will break the icons on some web sites, but on the other hand I thinks it’s a well worth security enhancement since font loading and rendering is quite complex and must be bug-prone.


Samuel  2014-10-14,  16:34

JIRA (an issue tracker software) needs (Javascript LocalStorage). Otherwise it will throw an exception during page load and most of the JS code will fail.

Samuel  2014-10-21,  14:31

These properties also exist in Mozilla Thunderbird. E-mail is already quite locked down (e.g. javascript and remote downloads are disabled by default), but I'm not so sure about e.g. downloadable_fonts if the "download" is included in a multipart e-mail.

To access the properties in Thunderbird, go to Settings --> Advanced --> General --> Configuration Editor.

Samuel  2014-10-21,  14:42

Also, in Mozilla Thunderbird, I think a lot more properties can be turned off without loosing any functionality. E.g. "browser.frames.enabled" and "javascript.enabled"

Samuel  2015-02-03,  10:30

Disabling CSS transitions might also be a good idea. It seems to be a quite complex part of CSS (and not very useful), so better have it disabled.

Post a comment

(optional, used to generate user icon)
Web site:
Leave blank: