John Resig (of jQuery fame, now a Mozilla Corp. employee) lets us know that JSON leakage through Array constructor redefinition, one form of so called AJAX-hijacking working on Opera, Safari and Firefox, is going to be impossible on Firefox 3.
Starting with next Beta 2, in facts, most built-in global constructors (

Array, Boolean, Date, Math, Number, Object, RegExp, String

) will be constant: override attempts will raise an error.
This is obviously an incompatible change, even though the “broken” functionality shouldn’t be something you rely upon in your everyday web application.
Anyway, if you find any regression, this is currently tracked under Bug 376957.

3 Responses to “AJAX security improved in Firefox 3”

  1. #1 kuza55 says:

    Somehow this really shocks me; browser developers doing something to try and improve security rather than saying “its not our fault”…

    Looks like its going to be a cold night in hell…

  2. #2 sirdarckcat says:

    it’s a shame this doesnt work:

    function XML(){alert(123);}
    aaa;

    since that would mean.. hell? imagine, reading all XML/XHTML websites.. that would be awezomee

  3. #3 sirdarckcat says:

    just fyi..
    the example I made was..
    function XML(){alert(123);}
    <x>aaa;</x>

    hehe

Bad Behavior has blocked 33199 access attempts in the last 7 days.