With the threat landscape changing, we’re updating our security program along with it. As browser security architecture continues to improve, our bug bounty program is evolving to focus incentives on the highest-impact work and the most critical threats.

Policy changes

We are keeping updates to the reporting process to a minimum so that experienced and successful researchers do not need to change how their security bugs are reported right now.

Raising the bar for report quality and novelty

Quality: As part of our policy update, we are putting an increasing emphasis on actionable reports: Reducing the time spent on validating theoretical concerns and focusing on confirmed vulnerabilities is ensuring faster resolution, faster reward payments and a better Firefox. Our existing policy already differentiates between high-quality reports and reports that only provide sufficient information to inform us of a new security vulnerability. Going forward, we will now require security researchers to provide simple and reproducible test cases for reports to be eligible for bounty rewards (e.g., demonstrable with an Address Sanitizer build). Reports without any credible evidence of a security issue will be assigned a much lower priority.

Novelty: In light of a recent increase in duplicate security bug reports and timing issues where researchers were able to race some of our internal tools, we are reserving an increased time window of seven days for our internal automated methods to find security issues. While this might affect more bug reports than before, we also believe this encourages researchers to focus on novel research that genuinely benefits advancements in the security posture, rather than research that replicates existing open source tools or results already captured by internal processes. This puts original, high-quality research back in the center of our bug bounty program

Aligning Security Architecture and Reward Structure

Security Architecture: Firefox is already using multiple utility processes to reduce the level of privilege for security-critical code. We are therefore focusing our rewards for “Highest Impact” / “Sandbox Escape” solely on attacks that compromise the parent process. We are also going to release a separate, sandboxed GPU process on all Operating Systems in 2026, which means that from now on, we will assess vulnerabilities in our graphics stack according to their sandboxed context, rather than treating them as full sandbox escapes. These bugs will still be considered as “High Impact” memory corruptions. We are also working on better definitions for compromising other processes and will update the bounty program again with more eligible process pairs in the future.

Changes to our Reward Structure: We limit our definition of sandbox escapes to true escapes that will allow the attacker to gain control over a higher privileged, unsandboxed process. This definition also excludes memory-reads as well as cross-process exploits targeting other sandboxed processes. As with above, we will continue to rate memory corruptions and attacks on other processes as “High Impact“ findings. Consequently, the highest reward will be limited to breaches of the most hardened security boundaries.

Join our bug bounty program

These updates are a natural step forward in maintaining a highly effective, quality-focused program that addresses the real and evolving security risks facing modern browsers.
We encourage researchers to engage with these clarified guidelines and focus their efforts on high-impact vulnerabilities and continue working alongside us to strengthen Firefox by focusing on the vulnerabilities that matter most.

We will provide additional guides and tips for improved bug finding and reporting based on previous bug reports in upcoming blog posts. We are also reminding our readers and security community that we welcome guest articles on our blog where successful researchers can share their discoveries.

Security and privacy are foundational to Mozilla’s manifesto and central to how we build Firefox. In this edition, we highlight key security and privacy work from Q4 2025, organized into the following areas:

• Firefox Product Security & Privacy — new security and privacy features and integrations in Firefox
• Core Security — platform-level security and hardening efforts
• Community Engagement — updates from our security research and bug bounty community
• Web Security & Standards — advancements that help websites better protect their users from online threats

Preface

Note: Some of the bugs linked below might not be accessible to the general public and restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received Firefox updates. If a link does not work for you, please accept this as a precaution for the safety of all Firefox users.

Firefox Product Security & Privacy

Functional Privacy. Firefox empowers users with control and choice - including the option for maximum privacy protections. Yet, our commitment lies in targeting online tracking by default in ways that ensures the web continues to function accurately and smoothly. With focus on this important balance, our protections have blocked more than 1 trillion tracking attempts, while reported site compatibility issues were driven down to an all time low: 500, as compared to 1,100 in Q1 of 2025.

Improved page redirect prevention: Firefox now blocks top-level redirects from iframes. This new prevention mechanism aligns Firefox behaviour with other browsers and protects users against so-called malvertising attacks.

Improved protections against navigational cross-site tracking: Navigational tracking is used to track users across different websites using browser navigations. Bounce tracking is a type of navigational tracking that “bounces” user navigations through an intermediary tracking site. Firefox’s Bounce Tracking Protection already protects against this tracking vector. And Firefox 145 uplevels this by also eliminating cache access for these intermediate redirect pages.

Global Privacy Control (GPC): Following Firefox’s lead as the first major browser to do this, Thunderbird has also now replaced the legacy “Do Not Track” (DNT) in favor of Global Privacy Control (GPC). This new control has the much needed legal footing to clearly communicate a user’s “do-not-sell-or-share preference” and other browsers are expected to follow soon.

Warning prompts for digital identity requests: When a webpage attempts to open a digital wallet app using custom URL schemes such as openid4vp, mdoc, mdoc-openid4vp, or haip, Firefox on Desktop and Android (Firefox 145 and newer) now displays clear warning prompts that explain what’s happening and give users control.

Core Security

Certificate Transparency (CT) on Android: Certificate Transparency enables rapid detection of unauthorized or fraudulent SSL/TLS certificates. CT has been available in Firefox Desktop since Firefox 136 and is now also available on Android starting with Firefox 145.

Post-Quantum Cryptography (ML-KEM): ML-KEM is a next-generation public-key cryptosystem designed to resist attacks from large-scale quantum computers. Post-quantum (PQ) cryptography with ML-KEM support shipped in Firefox 132 for Desktop. Support is now also available on Android starting with Firefox 145 and in WebRTC starting with Firefox 146.

Community Engagement

Mozilla and Firefox at the 39th Chaos Communication Congress (39C3): Teams from Firefox Security, Privacy, Networking, Thunderbird, and Public Policy collaborated to raise awareness of their work and gather direct community feedback. A clear highlight was the popularity of our swag, with our folks distributing 1,000 Fox Ears. The high level of engagement was further sustained by a dedicated community meetup and an impromptu AMA session, which drew attention from over 100 people.

Firefox Bug Bounty Hall of Fame: We just updated the Hall of Fame, which credits all of the skillful security researchers that strive to keep Firefox secure as of Q4 2025. If you also want to contribute to Firefox security, please look at our Bug Bounty pages.

Web Security & Standards

Integrity-Policy: Firefox 145 has added support for the Integrity-Policy response header. The header allows websites to ensure that only scripts with an integrity attribute will load. Errors will be logged to the console, with support for the Reporting API coming in early 2026.

Compressed Elliptic Curve Points in WebCrypto: Firefox 146 adds support for compressed elliptic curve points in WebCrypto. This reduces public key sizes by nearly half, saving bandwidth and storage, while still allowing the full point to be reconstructed mathematically. With this addition, Firefox now leads in WebCrypto web platform test coverage.

Going Forward

As a Firefox user, you automatically benefit from the security and privacy improvements described above through Firefox’s regular automatic updates. If you’re not using Firefox yet, you can download it to enjoy a fast, secure browsing experience — while supporting Mozilla’s mission of a healthy, safe, and accessible web for everyone.

We’d like to thank everyone who helps make Firefox and the open web more secure and privacy-respecting.

See you next time with the Q1 2026 report.

— The Firefox Security and Privacy Teams

Browser security is a cutting edge frontier for exploit mitigations, addressing bug classes holistically, and identifying vulnerabilities. Not everything we try works, and we think it’s important to document our shortcomings in addition to our successes. A responsible project uses all available tools to find bugs and vulnerabilities before you ship. Besides many other tools and techniques, Firefox uses Clang Tidy and the Clang Static Analyzer, including many customized checks for enforcing the coding conventions in the project. To extend these tools, Mozilla contacted Balázs, as one of the maintainers of the Clang Static Analyzer, to help address problems encountered when exploring Cross Translation Unit (CTU) Static Analysis. Ultimately, we weren’t able to make as much headway with this project as we hoped, but we wanted to contribute our experience to the community and hopefully inspire future work. Be warned, this is a highly technical blog post.

The following sections describe some fundamental concepts, such as taint analysis, CTU, the Clang Static Analyzer engine. This will be followed by the problem statement and the solution. Finally, some closing words.

Disclaimer: The work described here was sponsored by Mozilla.

Static Analysis Fundamentals

Taint analysis

Vulnerabilities often root from using untrusted data in some way. Data from such sources is called “tainted” in static analysis, and “taint analysis” is the technique that tracks how such “tainted” values propagate or “flow” throughout the program.

In short, “Taint sources” introduce a flow, such as reading from a socket. If a tainted value reaches a “taint sink” then we should report an error. These “sources” and “sinks” are often configurable.

A YAML configuration file can be used with the Clang Static Analyzer configuring the taint rules.

Cross Translation Unit (CTU) analysis

The steps involved in bugs or vulnerabilities might cross file boundaries. Conventional static analysis tools that operate on a translation-unit basis would not find the issue. Luckily, the Clang Static Analyzer offers CTU mode that loads the relevant pieces of the required translation units to enhance the contextual view of the analysis target, thus increasing the covered execution paths. Running CTU needs a bit of setup, but luckily tools like scan-build or CodeChecker have built-in support.

Path-sensitive analysis

The Clang Static Analyzer implements a path-sensitive symbolic execution. Here is an excellent talk but let us give a refresher here.

Basically, it interprets the abstract syntax tree (AST) of the analyzed C/C++ program and builds up program facts statement by statement as it simulates different execution paths of the program. If it sees an if statement, it splits into two execution paths: one where the condition is assumed to be false, and another one where it’s assumed to be true. Loops are handled slightly differently, but that’s not the point of this post today.

When the engine sees a function call, it will jump to the definition of the callee (if available) and continue the analysis there with the arguments we had at the call-site. We call this “inlining” in the Clang Static Analyzer. This makes this engine inter-procedural, in other words, reason across functions. Of course, this only works if it knows the callee. This means that without knowing the pointee of a function pointer or the dynamic type of a polymorphic object (that has virtual functions), it cannot “inline” the callee, which in turn means that the engine must conservatively relax the program facts it gathered so far because they might be changed by the callee.

For example, if we have some allocated memory, and we pass that pointer to such a function, then the engine must assume that the pointer was potentially released, and not raise leak warnings after this point.

The conclusion here is that following the control-flow is critical, and virtual functions limit our ability to reason about this if we don’t know the dynamic type of objects.

So, taint analysis for Firefox?

Firefox has a lot of virtual functions!

We discussed that control-flow is critical for taint analysis, and virtual functions ruin the control-flow. A browser has almost every code pattern you can imagine, and it so happens that many of the motivating use cases for this analysis involve virtual functions that also happen to cross file boundaries.

Once upon a time…

It all started by Tom creating a couple of GitHub issues, like #114270 (which prompted a couple smaller fixes that are not the subject of this port), and #62663.

This latter one was blocked by not being able to follow the callees of virtual functions, kicking off this whole subject and the prototype.

Plotting against virtual functions

The idea

Let’s just look at the AST and build the inheritance graph. After that, if we see a virtual call to data(), we could check who overrides this method.

Let’s say only class A and B overrides this method in the translation unit. This means we could split the path into 2 and assume that on one path we call A::data() and on the other one B::data().

// class A... class B deriving from Base
void func(Base *p) {
  p->data(); // ‘p’ might point to an object A or B here.
}

This looks nice and simple, and the core of the idea is solid. However, there are a couple of problems:

1. One translation unit (TU) might define a class Derived, overriding data(), and then pass a Base pointer to the other translation unit. And when that TU is analyzed, it shouldn’t be sure that only class A and B overrides data() just because it didn’t see Derived from the other TU. This is the problem with inheritance, which is an “open-set” relation. One cannot be sure to see the whole inheritance graph all at once.

2. It’s not only that Derived might be in a different TU, but it might be in a 3rd party library, and dynamically loaded at runtime. In this case, assuming a finite set of callees for a virtual function would be wrong.

Refining the idea

Fixing problem (2) is easy, as we should just assume that the list of potential callees always has an extra unknown callee, to have an execution path where the call is conservatively evaluated and do the invalidations - just like before.

Fixing problem (1) is more challenging because we need whole-program analysis. We need to create the inheritance graphs of each TU and then merge them into a unified graph. Once we’ve built that, we can run the Clang Static Analyzer and start reasoning about the overriders of virtual functions in the whole project. Consequently, in the example we discussed before, we would know that class A, B and (crucially) Derived overrides data(). So after the call, we would have 4 execution paths: A, B, Derived and the last path is for the unknown case (like potentially dynamically loading some library that overrides this method).

It sounds great, but does it work?

It does! The analysis gives a list of the potential overriders of a virtual function. The Clang Static Analyzer was modified to do the path splits we discussed and remember the dynamic type constraints we learn on the way. There is one catch though.

Some taint flows cross file boundaries, and the Clang Static Analyzer has CTU to counter this, right?

CTU uses the “ASTImporter”, which is known to have infinite recursion, crashes and incomplete implementation in terms of what constructs it can import. There are plenty of examples, but one we encountered was #123093.

Usually fixing one of these is time consuming and needs a deep understanding of the ASTImporter. And even if you fix one of these, there will be plenty of others to follow.

This patch for “devirtualizing” virtual function calls didn’t really help with the reliability of the ASTImporter. As the interesting taint flows cross file boundaries, the benefits of this new feature are unfortunately limited by the ASTImporter for Firefox.

Is it available in the Clang Static Analyzer already?

Unfortunately no, and as the contract was over, it is unlikely that these patches would merge upstream without others splitting up the patches and doing the labor of proposing them upstream. Note that this whole program analysis is a brand new feature and it was just a quick prototype to check the viability.

Upstreaming would likely also need some wider consensus about the design.

Apparently, whole-project analyses could be important for other domains besides bug-finding, such as code rewriting tools, which was the motivation for a recently posted RFC. The proposed framework in that RFC could potentially also work for the use-case described in this blog post, but it’s important to highlight that this prototype was built before that RFC and framework, consequently it’s not using that.

Balázs shared that working on the prototype was really motivating at first, but as he started to hit the bugs in the ASTImporter - effectively blocking the prototype - development slowed down. All in all, the prototype proved that using project-level information, such as “overriders”, could enable better control-flow modeling, but CTU analysis as we have it in Clang today will show its weaknesses when trying to resolve those calls. Without resolving these virtual calls, we can’t track taint flows across file boundaries in the Clang Static Analyzer.

What does this mean for Firefox?

Not much, unfortunately. If the ASTImporter would work as expected, then finalizing the prototype would meaningfully improve taint analysis on code using virtual functions.

You can find the source code at Balázs’ GitHub repo as steakhal/llvm-project/devirtualize-for-each-overrider, which served well for exploring and rapid prototyping but it is far from production quality.

Bonus: We need to talk about the ASTImporter

From the cases Balázs looked at, it seems like qualified names, such as std in std::unique_ptr for example, will trigger the import of a std DeclContext, which in turn triggers the import of all the declarations within that lexical declaration context. In other words, we start importing a lot more things than strictly necessary to make the std:: qualification work. This in turn increases the chances of hitting something that causes a crash or just fails to import, poisoning the original AST we wanted to import into. This is likely not how it should work, and might be a good subject to discuss in the future.

Note that the ASTImporter can be configured to do so-called “minimal imports” which is probably what we should have for the Clang Static Analyzer, however, this is not set, and setting it would lead to even more crashes. Balázs didn’t investigate this further, but it might be something to explore in the future.

Security and Privacy on the web are the cornerstones of Mozilla’s manifesto, and they influence how we operate and build our products. Following are the highlights of our work from Q3 2025, grouped into the following categories:

• Firefox Product Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox.
• Firefox for Enterprise, highlighting security & privacy updates for administrative features, like Enterprise policies.
• Core Security, outlining Security and Hardening efforts within the Firefox Platform.
• Web Security and Standards, allowing websites to better protect themselves against online threats.

Preface

Note: Some of the bugs linked below might not be accessible to the general public and restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received Firefox updates. If a link does not work for you, please accept this as a precaution for the safety of all Firefox users.

Firefox Product Security & Privacy

• As a follow-up to our last newsletter, Firefox has won a “Speedrunner” Award by the TrendMicro Zero Day Initiative for being consistently fast to patch security vulnerabilities. This is the second consecutive year, in which Firefox is recognized for the speedy delivery of security updates.
• Protecting against Fingerprinting-based tracking: With Firefox 143, we’ve introduced new defenses against online fingerprinting. Our analysis of the most frequently exploited user data shows that it’s possible to significantly lower the success rate of fingerprinting attacks, without compromising a user’s browsing experience. Specifically, Firefox now standardizes how it reports device attributes such as CPU core count, screen size, and touch input capabilities. By unifying these values across our entire user base, we cut the share of Firefox users who appear unique to fingerprinting scripts from roughly 35% to just 20%.
• Strict Tracking Protection with web compatibility in mind: When users set Firefox’s tracking protection to strict, we already warn them that stricter blocking may result in missing content or broken websites. As of Firefox 142, we are providing a list of exceptions that may help unbreak popular websites without compromising the protection. The list of exceptions is transparently shared on https://etp-exceptions.mozilla.org/.
• DoH on Android: We have landed opt-in support for DoH Android in Firefox 143. Opt-in available in Firefox preferences UI, Firefox Android users can enable DoH with Increased or Max Protection settings to prevent network observers from tracking their browsing behaviour.
• Improved TLS Error Pages: We improved non-overridable TLS error pages to provide more context for end users. Starting in Fx140, Firefox contains more information on why a connection was blocked, highlighting that Firefox is not causing the problem but rather that the website has a security problem and Firefox is actually keeping the user safe.
• SafeBrowsing v5: Firefox Nightly now supports the SafeBrowsing v5 protocol, which protects against threats like phishing or malware sites, in preparation for the upcoming decommissioning of SafeBrowsing v4 server.
• Private Downloads in Private Browsing: When downloading a file in Private Browsing mode, Firefox 143 now asks whether to keep or delete the files after that session ends. You can adjust this behavior in Settings, if desired.
• Improved Video sharing: As of Firefox 143, the browser permission dialog will now show a preview of the selected Video camera, making it much easier to see and decide what is being shared before providing camera permissions to a page.

Firefox for Enterprise

• Updated Enterprise Policy for Tracking Protection: The EnableTrackingProtection policy has been updated to allow you to set the category to either strict or standard. When the category is set using this policy, the user cannot change it. The EnableTrackingProtection policy has also been updated to allow you to set control Suspected fingerprinters. For more information, see this SUMO page.
• Improved Control over SVG, MathML, WebGL, CSP reporting and Fingerprinting Protection: The Preferences policy has been updated to allow setting the preferences mathml.disabled, svg.context-properties.content.enabled, svg.disabled, webgl.disabled, webgl.force-enabled, xpinstall.enabled, and security.csp.reporting.enabled as well as prefs beginning with privacy.baselineFingerprintingProtection or privacy.fingerprintingProtection.

Core Security

• CRLite on Desktop and Mobile: CRLite is a faster, more reliable and privacy-protecting certificate revocation check mechanism, as compared to the traditional OCSP (Online Certificate Status Protocol). CRLite is available in Desktop versions since Firefox 142 and on Firefox for Android in Firefox 145. Read details on CRLite in the blogpost: CRLite: Fast, private, and comprehensive certificate revocation checking in Firefox.
• Supporting Certificate Compression in QUIC: Certificate compression reduces the size of certificate chains during a Transport Layer Security (TLS) handshake, which improves performance by lowering latency and bandwidth consumption. The three compression algorithms zlib, brotli, and zstd are available in QUIC starting with Firefox 143.

Web Security & Standards

• Improved Cache removal: When a website uses the "cache" directive of the Clear-Site-Data response header, Firefox 141 now also clears the backwards-forwards cache (bfcache). This allows a site to ensure that private session details can be removed, even if a user uses the browser back button. (bug 1930501).
• Easy URL Pattern Matching: The URL Pattern API is fully supported as of Firefox 142, enabling you to match and parse URLs using a standardized pattern syntax. (bug 1731418).

Going Forward

As a Firefox user, you will automatically benefit from all the mentioned security and privacy benefits with the enabled auto-updates in Firefox. If you aren’t a Firefox user yet, you can download Firefox to experience a fast and safe browsing experience while supporting Mozilla’s mission of a healthy, safe and accessible web for everyone.

Thanks to everyone who helps make Firefox and the open web more secure and privacy-respecting.

See you next time with the Q4 2025 Report!
- Firefox Security and Privacy Teams.

Security and Privacy on the web are the cornerstones of Mozilla’s manifesto, and they influence how we operate and build our products. Following are the highlights of our work from Q2 2025, grouped into the following categories:

• Firefox Product Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox.
• Core Security, outlining Security and Hardening efforts within the Firefox Platform.
• Community Engagement, news from our security and bug bounty community.
• Web Security and Standards, allowing websites to better protect themselves against online threats.

Preface

Note: Some of the bugs linked below might not be accessible to the general public and restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received Firefox updates. If a link does not work for you, please accept this as a precaution for the safety of all Firefox users.

Firefox Product Security & Privacy

• CHIPS support: Starting with Firefox 141, Firefox now supports Cookies Having Independent Partitioned State (CHIPS), which introduces a new cookie attribute that allows website developers to access partitioned cookies. CHIPS provides the same privacy guarantees as Firefox’s built-in Total Cookie Protection (TCP) which we have been shipping by default since 2022.
• Expanding Total Cookie Protection for Known Trackers: Beginning with Firefox 141, Firefox has switched to Total Cookie Protection for known trackers. This update replaces the previous method of blocking third-party tracking cookies, offering improved web compatibility while maintaining the same level of cookie privacy.
• Improving Web compatibility in Firefox: We have improved the private browsing experience in Firefox based on a recent increase in user reports for broken websites on webcompat.com. This improvement alone allowed our users to browse privately in more than 450 additional cases since the beginning of the year, representing a major share of all broken websites reports.
• Improving non-overrideable Error Pages: When establishing an HTTPS connection, a browser can encounter a variety of different TLS errors. Firefox used to display different certificate error pages based on the error type (e.g., permanent and temporary). We unified these error pages - starting with Firefox 140 we are now providing additional information, especially when an error is permanent and can not be skipped.
• Firefox Relay Integration: Firefox Relay⁩ allows to create new temporary email address that forwards all emails to your true inbox. This allows you to protect your actual identity from hackers and spammers. Firefox Relay is available for all versions after Firefox 135, and we rolled it out to all desktop users on June 16.

Core Security

• Firefox Response to Pwn2Own: The Pwn2Own hacking competition targets popular software organized by the TrendMicro Zero Day Initiative (ZDI). This year, Firefox was targeted twice but no team managed to break out of the Firefox sandbox. We immediately responded to the two contained exploits with a new Firefox release that included both security fixes in just 11 hours since the second exploit demonstration. This beats Firefox’s previous record of 21 hours last year. Read more details in this blogpost: Firefox Security Response to pwn2own 2025. You can also read the technical analysis of the bug and the exploit from the ZDI.
• Securing the open source ecosystem: Firefox developers found a bug upstream in libvpx, a video codec library, which we identified and resolved. As a widely shared library, this fix protects media playback in Firefox as well as many other browsers, and rich media applications (Bug 1962421, Chrome Bug 419467315).

Community Engagement

• Firefox Bug Bounty Hall of Fame: We just updated the Hall of Fame, which credits all of the skillful security researchers that strive to keep Firefox secure. If you also want to contribute to Firefox security, please look at our Bug Bounty pages.
• Call for Guest Blog posts: We are opening the opportunity for guest blog posts on attackanddefense.dev for all bug bounty participants. If you are reading this and want to write a blog post about your findings, let us know!

Web Security & Standards

• Abridged Certificates in Firefox Nightly: Abridged Certs is an IETF draft for a new compression scheme which enables a successful transition to Certificates using Post-Quantum Encryption Algorithms by enabling smaller and more performant Certificate Chains. The code is available since Firefox Nightly 141 and we are planning to do partner experiments in the upcoming months.
• Integrity Policy: Recent work on the Subresource Integrity (SRI) standard introduced a new web security policy, called Integrity-Policy. This will allow websites to ensure that all of their scripts are protected with integrity data. Future work will expand this security mechanism to provide full web application integrity.
• HTTP Origin-Agent-Cluster header: Starting with Firefox 138, this new response header can be used by a site to hint that all documents from this origin are using the same operating system process. Besides these security isolation benefits, supporting this header makes it less likely that a resource-intensive document can degrade the performance on other origins (Bug 1665474).
• HTTP Clear-Site-Data: cache header: Starting with Firefox 141, websites can use the cache directive header to clear caches for the requested origin. This header allows websites to properly clear local data when users sign out of a website. (Bug 1838506)
• WebRTC Security: The getFingerprints() method of the RTCCertificate interface is now available in Firefox 138. An application can use this API to get fingerprints for a certificate, which might be shared out-of-band in order to identify a particular user or browser across WebRTC sessions (Bug 1525241).
• Cookie Store API: The Cookie Store API is now supported in Firefox 140 (Bug 1958875). This API provides a modern, asynchronous Promise-based method of managing cookies, which can be used in both the main thread as well as in service workers. Using the CookieStore API is less error-prone than relying on the old document.cookie property.

Going Forward

As a Firefox user, you will automatically benefit from all the mentioned security and privacy benefits with the enabled auto-updates in Firefox. If you aren’t a Firefox user yet, you can download Firefox to experience a fast and safe browsing experience while supporting Mozilla’s mission of a healthy, safe and accessible web for everyone.

Thanks to everyone who helps make Firefox and the open web more secure and privacy-respecting.

See you next time with the Q3 2025 Report!
- Firefox Security and Privacy Teams.

Security and privacy on the web are cornerstones of Mozilla’s manifesto, and they influence how we operate and build our products. Following are the highlights of our work from Q1 2025, grouped into the following categories:

• Firefox Product Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox.
• Core Security, outlining Security and Hardening efforts within the Firefox Platform.
• Web Security, allowing websites to better protect themselves against online threats.

Preface

Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received their updates. If a link does not work for you, please accept this as a precaution for the safety of all of our users.

Firefox Product Security & Privacy

HTTPS by Default: After shipping mixed content upgrades last year (Bug 1779757), starting with Firefox 136, we now upgrade all navigations to HTTPS (Bug 1921221) and provides a fallback to HTTP if a secure and encrypted connection cannot be established. Our telemetry suggests that HTTPS requests for Firefox users have increased by at least 1.5%. See The Evolution of HTTPS Adoption in Firefox for more details. In the same vein, our research paper The State of Adoption on the Web (presented at MADWeb 2025) captures HTTPS adoption around the world as well as the effectiveness of the different upgrading mechanisms.

Introducing CRLite: CRLite, a faster, more reliable and privacy-preserving certificate revocation check mechanism as compared to the traditional OCSP (Online Certificate Status Protocol), has been rolled out to release (Bug 1429800) in Firefox 135. A corresponding talk on CRLite was presented at Real World Crypto 2025. Also, a research paper about CRLite was accepted at IEEE Symposium on Security and Privacy.

Certificate Transparency: Firefox is shipping Certificate Transparency (CT) in Firefox 136 (Bug 1927085). CT enforces that Firefox will only accept certificates that have been publicly logged, and can be checked for malice or mistake. This change brings Firefox into alignment with other browsers and we are now listed under “User agents using CT” on https://certificate.transparency.dev/useragents/. CT and CRLite have propelled Firefox to the forefront of TLS security amongst browsers.

TLS Client Auth: Firefox on Android now supports TLS Client Auth (Bug 1813930) starting with Firefox 138. TLS Client Certificates are typically used in enterprise and governmental contexts to authenticate users and offer many desirable security and phishing-resistant properties.

Root Store Policy updates: Mozilla maintains a policy for inclusions and considerations to the root store as it applies to Certificate authorities operations and the certificates they issue. The new and updated version of the Mozilla Root Store Policy (MRSP) v3.0 went into effect on March 15, 2025.

Safebrowsing updates: Starting with Firefox 138, Safebrowsing now classifies only top-level loads (Bug 1953088) and no longer blocks subresource loads, like external JS scripts, or also images, which reduces the risk of web-compat issues caused by unsupported subresource blocking.

Unbreaking websites from Anti-Tracking mechanisms: We have worked with disconnect.me to unblock certain consent management providers (CMP) in private browsing mode and ETP-Strict (see non-exhaustive bug list). CMPs - often seen as “Cookie Banners” - are responsible for almost half of all site breakage when they are blocked by our anti tracking protection. This work allowed many websites to work as expected again in private browsing mode.

Smartblock Embeds gives users control over blocked content: Starting with Firefox 136, SmartBlock Embeds support empowers ETP-Strict and PBM users to consciously opt into highly visible content, and prevents the perception that the page is ‘broken’ - even though our protections are working as intended. Smartblock works for embedded content from Instagram (Bug 1892173), TikTok (Bug 1892172) and Twitter/X (Bug 1901602), which are blocked by default in Private windows or ETP-Strict mode. Embedded blocked content from these domains will show a 1-button click option for users to un-block all content from that domain on that specific website.

Away from DNT and towards GPC: In Q1, Firefox became the first major browser to remove the “Do Not Track” checkbox from the privacy preferences/settings, recognising that Global Privacy Control (GPC) is a better option for 2025. See SUMO article for details.

Core Security

Hardening Firefox: Starting in Firefox 135, Firefox UI uses a strict Content-Security-Policy (CSP) in browser.xhtml to prevent XSS-like sandbox escapes (Bug 1935985). This involved modifying over 600 inline event handlers and a careful rollout with notice to people who run modified Firefox configurations. A detailed description of these security hardening efforts are available in our blogpost: Hardening the Firefox Frontend with Content Security Policies.

Sandboxing: The Windows sandbox for Content Processes has been moved to USER_RESTRICTED and rolled out in Firefox 134 and is enabled by default in Firefox 135. This change removes read access from most of the filesystem and registry for the content process. Before, read access was generally allowed outside of the User’s home directory, which has been blocked since Firefox 56. In Firefox 138, by further differentiating the Gecko Media Plugin process sandbox policy, we were also able to enable win32k lockdown and Arbitrary Code Guard (blocking dynamic code) for the openh264 GMP process.

CSS Fuzzing: We are also attributing a major piece of our platform goals to Interop 2025: Enhancements in CSS syntax generation have shown immediate results and will continue to support the work throughout the year.

XSLT Fuzzing: Early in Q1, we have incorporated an experimental XSLT fuzzer by Ivan Fratric of Google Project Zero into our infrastructure, where it is now running continuously. Thank you, Ivan!

NSS Fuzzing: Our fuzzing focus on NSS (Network Security Services) has also shown a significant uptick in NSS fuzzing coverage across both oss-fuzz as well as our internal tools. We also added a TSan target for NSS, ensuring stricter thread-safety going forward.

Site-scout: Site-scout is a tool that visits web pages with instrumented builds (like Address Sanitizer). We are continuing to enhance site-scout, such that it interacts with websites and ideally teases out more bugs.

Community Engagement

Bug Bounty: The Firefox client bug bounty program rewards contributors for finding security bugs in Firefox. Our award categories ranges from $500 to $20,000 depending on bug severity and report quality. With 31 awarded bounties this quarter, it is one of our main sources of security bug reports. The majority of the reported bugs are low or moderate severity UI spoofs. We are changing the reward structure for these kinds of bugs going forward - please find details on our Firefox bug bounty pages. We are also opening the opportunity for guest blog posts on attackanddefense.dev. Please reach out if you want to write about a previous finding of yours!

Mozilla Research Summit: The Mozilla Research Summit took place on March 1, 2025 in San Diego California. We had 56 participants from 3 continents and 25+ different research institutions. The day included some high-caliber talks from Mozillians as well as security and privacy academics and sparked new research collaborations between Mozilla and the academic community.

Co-organized Open-Source Crypto Summit: We co-organized the Open Source Cryptography Workshop (OSCW) which brings together practitioners interested in all sorts of open source crypto projects ranging from production and maintenance challenges to best practices for designing clean-sheet crypto systems with modern primitives.

Web Security & Standards

Fingerprinting: We have taken on co-authorship of the W3C’s guidance on Fingerprinting, to ensure that it matches our understanding of the evolving threats and the meaningful defenses we envision. We have merged some changes already with more under discussion.

Messaging Layer Security: Firefox is now the first browser to have a prototype implementation of MLS (Messaging Layer Security) (Bug 1876002). MLS enables end-to-end security for a wide range of use cases such as secure group messaging. MLS is available in Firefox 136 as an origin trial (set the preference dom.origin-trials.mls.state to 1) which exposes an experimental Web API that will be used by our partners.

Sanitizer API: We have updated our implementation of the Sanitizer API, which allows mitigating the risk of DOM-based cross-site scripting (XSS) attacks. This update aligns our implementation of the sanitizer API with recent developments and prepares it for a pre-release.

Integrity: We presented our plans for improved Web App Integrity at the W3C WebAppSec working group (explainer) and started to work on a first milestone towards script-integrity enforcements as part of the Subresource Integrity specification with Yoav Weis from Shopify. We also implemented integrity for import maps.

Going Forward

As a Firefox user, you will automatically benefit from all the mentioned security and privacy benefits with the enabled auto-updates in Firefox. If you are not a Firefox user yet, you can simply download Firefox and start benefiting from all the ways that Firefox works to protect you when browsing the internet.

Thanks to everyone who helps make Firefox and the open web more secure and privacy-respecting.

See you next time with the Q2 2025 Report!
- Firefox Security and Privacy Teams

The most well known type of injection attack are Cross-Site Scripting (XSS) attacks. Like the name suggests, these attacks violate the boundary between different sites and circumvent first line security defenses like the same-origin policy. As with the existence of boundaries between different sites, the Firefox UI, which runs in the parent process, is separated from web content running in lower-privileged content processes. The sandboxed web content should not be able to inject content, especially code, into the parent process. Of course there needs to be some way for both parent and child processes to communicate with each other - otherwise it would, for example, be impossible to update a tab’s title in the UI after a web page sets its own document title. The way Firefox accomplishes this interaction is through a system called IPC - inter-process communication.

In Pwn2Own (a computer hacking contest) 2022 a participant managed to find a chain of exploits that allowed them to escape the web content sandbox (cf. write-up by a ZDI employee, a generalized introduction or video by LifeOverflow). A part of this exploit chain involved creating a JavaScript inline event handler (using setAttribute) in the Firefox UI, and then triggering the execution of that event handler. For websites, the well known approach of mitigating XSS attacks using inline event handlers usually involves using a Content-Security-Policy (CSP). CSP allows for restricting what scripts are allowed to execute on a given page. Typically by only allowing scripts from specific URLs, or with specific hashes. In particular, unless ‘unsafe-inline’ is specified, all attempts to define inline event handlers are blocked by the browser. And because the Firefox UI uses HTML with some special sauce, we can actually also use CSPs in the same way to harden the Firefox frontend code.

Progress

The main Firefox UI, which contains the tabs, address bar, menu bar etc. is actually just one big XHTML document called browser.xhtml. Recently we have removed in total over 600 inline event handlers across 50 bugs from this XHTML document. At this point we want to acknowledge the support of the Firefox frontend team, without their co-operation we wouldn’t have been able to land so many changes in such a short amount of time.

Figure 1: Graph showing the number of inline event handlers in browser.xhtml over time in Firefox Nightly. The numbers were estimated using grep.

Interlude: How to replace inline event handlers

In case you are a Firefox developer, the maintainer of a Firefox fork like the Tor Browser, or just a web developer interested in securing your own website, the following might be relevant to you. The process of removing inline event handlers usually involves finding all the places that define an inline event handler like <button onclick="buttonClicked()"> and then replacing this with a call to addEventListener from a new JS file. Roughly like this:

let button = document.querySelector("button");
button.addEventListener("click", buttonClicked);

However there are some important differences to keep in mind between JS code running as inline event handlers and normal event handlers. Firstly, it’s possible to return false; from the inline event handler, which is equivalent to calling event.preventDefault(). Also note that this, which is event.currentTarget for inline event handlers, would change if you replaced it with an arrow function as the event listener.

Outlook

While browser.xhtml contains most parts of the main Firefox UI, some windows and sidebars are based on their own (X)HTML files. Due to the fact that browser.xhtml provides the largest attack vector of our frontend code we focused our initial efforts on securing and hardening browser.xhtml which already drastically improves the status quo to prevent inline script execution. For other windows, such as the “About Firefox” dialog, we go even further by adding CSPs that are much more restrictive and go beyond just blocking scripts. If you are familiar with CSP, by default we set a baseline CSP like default-src chrome: resource:;, which basically means we only allow loading resources from files that are shipped with Firefox. Historically we have already added CSPs to about: pages such as about:preferences that are displayed like normal websites (cf. Hardening Firefox against Injection Attacks). Our end goal is to block all dynamic code execution in Firefox (like eval) entirely, to provide the best and most secure Firefox version possible that is resilient to any kind of XSS attacks.

Summary

We have rewritten over 600 JavaScript event handlers to mitigate XSS and other injection attacks in the main Firefox user interface. This mitigation will ship in Firefox 138. However, blocking the execution of scripts in the parent process is not the end - we will expand this technique to other contexts in the near future. There is still more work to do as the UI requires JavaScript APIs with a high level of privileges. However: We still eliminated a whole class of attacks, significantly raising the bar for attackers to exploit Firefox. In fact, we hopefully just broke someone’s exploit chain.

The HTTPS-First feature was developed over the course of many years, starting with an opt-in feature called HTTPS-Only mode in 2020: A drastic security feature that disallows all kinds of HTTP connections and asks the user for explicit consent to allow an insecure connection before proceeding. HTTPS-Only mode will live on as a strict protection and has proven a useful replacement to extensions like HTTPS Everywhere. Albeit its usefulness, we have learned that HTTPS-Only mode is an expert user mode that is mainly used by security conscious users and as such has a rather low adoption rate. Less than 1% of Firefox users enable it. We presumed that these numbers are due to two factors: First of all, HTTPS-Only mode is opt in. Only people who already know what security protections this feature offers or people who actually go through our long settings pages will discover and enable the feature. Secondly, whenever you face pages that do not use HTTPS, you get a rather scary warning that the site is unprotected. In essence, there is too little uptake to consider HTTPS-Only a meaningful protection for all of our users.

All of the aforementioned reasons encouraged us to start developing HTTPS-First as a mechanism with opportunistic HTTPS upgrades as well as an automated fallback mechanism instead of the warning. We enabled HTTPS-First by default for users in Private Browsing Mode in 2021, which provided a really useful experimentation ground and allowed us to protect more users right away. Following this, we started to fine-tune the upgrade heuristics and optimized our changes to align with existing websites and other browsers, which also lead to us shipping mixed content upgrades in June 2024. The following milestone shipped HTTPS-First for all pages loaded through the address bar.
In the meantime, we learned of misbehaving websites, incompatibilities, and corner cases which resulted in endless upgrade downgrade loops. Over the years, the code underwent dozens of algorithmic improvements, various new heuristics to unbreak many websites and also various changes to our test suites.
During this time, we also sought to understand HTTPS adoption across our user base and along the various mechanisms that web pages and browsers may apply to improve or simplify the migration from HTTP to HTTPS. Surveying user behavior and web security at scale led to our paper “The State of https Adoption on the Web”, which was accepted at Measurements, Attacks, and Defenses for the Web (MADWeb) 2025.

Figure 1: Comparison for top-level (document) loads, relying on https, http, local http and the effectiveness of the various upgrading mechanisms for Firefox 134 (as appeared in our whitepaper)

As part of the study, we looked at the different mechanisms in Firefox that may lead to an upgrade of a navigation targeting an HTTP web page towards HTTPS. As we originally found in our study, more than 90% of links and redirects already target HTTPS from the start. Of the remaining loads, Firefox was already upgrading 1.7% using various mechanisms. The remaining 7.9% were therefore left aside as non-upgradable: We looked more deeply into those 7.9% and found that 5.5% of those are web pages on the local network, which likely do not support HTTPS because they cannot easily acquire valid certificates. And only the remaining 2.4% of loads actually happened on an insecure HTTP connection.
The 1.7% of upgradable content was mostly upgraded by HTTP Strict Transport Security (HSTS), followed by HTTPS-First (limited to loads from the address bar, at the time) and Web Extensions.
With all of these improvements, insights and the early feedback from our beta users, we made the switch and had HTTPS-First ship into release for all page loads with Firefox 136 in March 2025.

Figure 2: The same comparison as above, but for the first three weeks of Firefox 136 with HTTPS-First enabled for all users.

We can see that HTTPS-First is now upgrading 57% of all upgradable content, surpassing all other known techniques. The chart also shows that HTTPS-First as it is currently implemented is still not the only mechanism to perform upgrades. This is intentional, as we prioritize upgrade mechanisms in the order specified in the Fetch standard. Some pages may still not be upgraded at all, because our heuristics only upgrade websites that immediately return a successful HTTPS connection. Typical examples are websites redirecting to a canonical domain (e.g., redirecting between www and non-www domains) or using the HTTP protocol scheme rather than HTTPS.

Figure 3: The ratio of page loads happening via HTTPS compared to HTTP, aggregated over recent major Firefox versions.

Although we are still looking at early data, we can already see that HTTPS-First is a successful and user-friendly upgrading mechanism which allows securing the web for all mainstream Firefox release users. This solves the aforementioned issues we saw with HTTPS-Only Mode: The HTTPS-First feature is enabled for all users and does not trigger any new error pages. While we want to acknowledge that there are seasonal effects on web traffic at this scale, our telemetry suggests that HTTPS requests for Firefox users have increased by at least 1.5% with the release of HTTPS-First in Version 136.

While we drastically improved the state of https adoption on the web we are still not quite done on our path to ubiquitous encryption. On the road ahead we have to find better answers to questions about seasonal and regional effects (as highlighted in our paper). In addition, we also want to tune the aforementioned heuristics such that we can upgrade even more connections. At the same time, we can proudly say that HTTPS in Firefox is at an historic high and will trend upwards as we polish and optimize our latest improvements, without sacrificing user experience, performance or compatibility with the web at large.
And for those of you who want to be informed when visiting a page over an insecure HTTP connection or also those of you who do not shy away from error pages for unencrypted connections, we still recommend using HTTPS-Only mode.

Snapshot Fuzzing

One of the challenges  when fuzzing the IPC Layer is that isolating the interfaces that are to be tested isn’t easily doable. Instead, one needs to run an entire Firefox instance to effectively fuzz these interfaces. However, having to run a Firefox instance for fuzzing comes with another set of downsides: First, we cannot easily reset the system back into a known-good state other than restarting the entire browser. This causes issues with reproducibility and breaks determinism required by coverage-guided fuzzing. And second, many errors in the parent process are still handled by crashing, again forcing a full and time consuming restart of the browser. Both cases are essentially a performance problem - restarting the browser is simply too slow to allow for efficient and productive  fuzzing. This is where snapshot fuzzing comes into play - it allows us to take a snapshot at the point where we are “ready” to perform fuzzing and reset to that snapshot point after each fuzzing iteration at practically no cost. This snapshot technique even works when we find a bug in the parent process which would normally force us to restart the browser.

Technical Implementation

As Firefox consists of multiple processes that need to be kept in sync, we decided to use Nyx, a full-vm snapshot fuzzing tool. In this setup, Firefox runs in a guest operating system (usually Linux) and the snapshot taken is a snapshot of the whole guest including all of its processes. Nyx is also compatible with AFL++ as a frontend, a tool we already employ for other fuzzing targets.

To facilitate communication between Firefox and Nyx, we use a custom agent, essentially glue-code that is preloaded into Firefox. This code handles the low-level communication with Nyx and is also responsible for providing the trace buffer (for coverage measurements) to the AFL++ runtime linked to Firefox as well as passing through fuzzing data from AFL++. Both of these tasks are more complex in this configuration as AFL++ is not directly launching and communicating with the target binary. The agent further exposes a clean interface to Firefox that can be used to implement the actual fuzzer in Firefox itself without having to worry about the low-level details.

Technology stack for snapshot fuzzing at a glance.

On top of this interface, we have implemented multiple IPC fuzzing targets, the simplest one being IPC_SingleMessage, which we will look at in more detail now.

Fuzzing a single IPC message

Modifying a single IPC message in transit is one of the rudimentary approaches  for IPC fuzzing in general. It is especially useful if the message type being targeted is in itself complex (lots of data contained in a single message rather than a complex interface being composed of a large number of simpler messages).

For this purpose, we intercept messages in the parent process on the target thread before they are dispatched to the generated IPC code that ultimately calls the IPC method. Most of the logic is then contained in IPCFuzzController::replaceIPCMessage which primarily does either of these two things:

1. If the message type does not match our configured target message, we can optionally dump it to a file (this is useful to create seeds for different types of single message fuzzing), but otherwise we pass the message through.
2. If the message matches our target specification, take the snapshot, replace the payload of the original message with our fuzzing data and return the new (fuzzed) message to be dispatched.

Once the fuzzed message is dispatched (most commonly to a different thread), we face an important challenge  of multi-threaded snapshot fuzzing: synchronization. Coverage-guided fuzzing generally operates under the assumption that we know when our fuzzing data has been processed. Depending on the fuzzing target, it can be fairly difficult to tell when we are “done” but in our case, because we are already on the target thread that is running the actual IPC method. So unless that method again performs an asynchronous dispatch, we can just wait for the dispatch to return and we do so at the end of DispatchMessage() where we call back into IPCFuzzController to release (revert back to the snapshot).

By combining this target with a CI test¹, we are now able to find implementation flaws like for example a vulnerability in the accessibility code that involved the ShowEvent message. This message contains an array of serialized AccessibleData, making this message type a good target for single message fuzzing.

Measuring Code Coverage in Snapshot Fuzzing

Code coverage is probably the most important metric for long-term fuzzing campaigns as it highlights potential shortcomings of the fuzzing. While for most fuzzing, it is rather straightforward to generate code coverage, doing so in snapshot fuzzing is less trivial. Traditional source code coverage provided by tools like gcov which find usage with other fuzzing, aren’t easily deployable because the data would have to be pulled out of the VM on every iteration so it can be saved before the snapshot revert resets the data. Doing so would make the process of obtaining code coverage unfeasibly slow.

Instead, we decided to build our own code coverage measurement on top of the existing instrumentation. For this purpose, we added a new AFL++ instrumentation type that instruments all basic blocks and then creates a second, permanent trace buffer in AFL++ that accumulates the coverage of the regular trace buffer. Finally, we create a third buffer called the pcmap which maps every entry in the trace buffer to an address in the binary that can later be resolved to a source code location using debug information. As this information is contained in the AFL++ runtime, we need to obtain it within our custom Nyx agent and write it out to the host. The same holds for module information that denotes at which addresses Firefox modules were loaded. By combining these three sources of information, we can map the progress of Nyx fuzzing onto actual source code. We also built additional tooling to turn this basic block coverage into line-based coverage using information from a gcov build². As a result, we can generate metrics like percentage of code covered to evaluate the overall effectiveness of snapshot-based fuzzing.

Conclusion

While snapshot fuzzing is a rather complex technology with many moving parts, it allows us to effectively stress code regions  of the browser that would otherwise  remain beyond the  capabilities  of traditional fuzzing techniques,  but are critical for providing adequate security guarantees. We are happy to report that this new fuzzing technology is becoming the norm and is now an essential part of our security testing strategy. We would like to thank the authors of Nyx and AFL++ for making this technology available and hope that our combined efforts will help others to adapt snapshot fuzzing for their projects.

¹ Firefox runs many Continuous Integration tests to ensure every functionality of the browser is automatically tested.

² Unfortunately, gcov and debug information deviate in some cases, so the result is not a 100% accurate mapping yet and can’t be seamlessly merged with other gcov data. This could likely be improved using LLVM annotations for additional basic block information.