Minimizing Web Browser Attack Surface

Posted on August 15, 2014

Most of us use a web browser every day, and often on computers that are also used for sensitive information (e.g. banking info, passwords/keys to servers at work, etc.). So what parts of a web browser might have exploitable code execution flaws? Most think of Flash, Java and perhaps Javascript. But there are many more, and the list is constantly changing with new versions of browsers software!

There’s no standard way of listing all features available in your web browser, but in Mozilla/Gecko/Firefox-based browsers one can find a list of optional features by searching for properties in about:config that contain .enable or .disable. Many of them relate to Javascript or Javascript features:

javascript.enabled
device.sensors.enabled
dom.*.enabled
full-screen-api.enabled
full-screen-api.pointer-lock.enabled
geo.enabled
webgl.disabled

On a work/office computer I recommend disabling them, except javascript.enabled which can be enabled only on safe web sites that require javascript (possibly with a browser extension). There are of course many to choose from and I’ve only used Controle de Scripts, which unfortunately doesn’t work any longer with Firefox 29+.

There are also some features that are not related to Javascript that can be disabled:

gfx.downloadable_fonts.enabled
media.autoplay.enabled     (autoplay of <video> and <audio> tags)
media.*.enabled            (enables/disables individual codecs etc.)
network.http.spdy.enabled

Disabling downloadable fonts will break the icons on some web sites, but on the other hand I thinks it’s a well worth security enhancement since font loading and rendering is quite complex and must be bug-prone.

Comments

Samuel  2014-10-14,  16:34

JIRA (an issue tracker software) needs dom.storage.enabled (Javascript LocalStorage). Otherwise it will throw an exception during page load and most of the JS code will fail.

Samuel  2014-10-21,  14:31

These properties also exist in Mozilla Thunderbird. E-mail is already quite locked down (e.g. javascript and remote downloads are disabled by default), but I'm not so sure about e.g. downloadable_fonts if the "download" is included in a multipart e-mail.

To access the properties in Thunderbird, go to Settings --> Advanced --> General --> Configuration Editor.

Samuel  2014-10-21,  14:42

Also, in Mozilla Thunderbird, I think a lot more properties can be turned off without loosing any functionality. E.g. "browser.frames.enabled" and "javascript.enabled"

Samuel  2015-02-03,  10:30

Disabling CSS transitions might also be a good idea. It seems to be a quite complex part of CSS (and not very useful), so better have it disabled.

http://dev.webonomic.nl/how-to-disable-css-transforms-transistions-and-animations

Post a comment

Name:
E-mail:
(optional, used to generate user icon)
Web site:
Leave blank:
Comment: