Mozilla opens up more on Firefox 4: Content Security, WebGL coming

The keyword for the introduction of Mozilla Firefox 3.5 was speed. That helped start a whole new race in which Firefox led early, but fell soon behind Apple Safari, Google Chrome, and later even Opera. Now with even Microsoft Internet Explorer 9 looking to erase the speed gap, and then some, a newly published Mozilla developers' page characterizes Firefox 4 -- whose first public betas may be only a few weeks away -- as feature-laden.

Enhanced security features, built-in WebM video, and new support for standards-based animation -- including live, GPU-rendered 3D -- are all part of the new feature list for Mozilla's next browser.

One of the most important inclusions in this next edition will be Content Security Policy (CSP), the Mozilla-driven specification introduced last October. Its purpose is to compel users to implement tough new code execution restrictions at the client level, such as preventing JavaScript code from generating new code, or executing any kind of inline code without signing it first. The goal here is to close many of the exploitable loopholes that enable cross-site scripting, where code from a malicious site blends with one from a benign victim site (for instance, a bank or payment provider) causing the client to reveal private data.

CSP would also act as a preventative measure for "clickjacking," an ancient but still effective measure for malicious pages to gather users' passwords by deploying invisible UIs in front of legitimate Web sites. Clickjacking was most recently the focus of an October 2008 Adobe security advisory, warning users of how invisible <IFRAME> elements on a malicious page could run Flash code imperceptibly; whether CSP will be effective at thwarting Flash-based exploits of this nature may only be determined during beta testing.

Another new Firefox 4 security measure developers will have their first opportunities to test soon is what Mozilla calls infallible memory allocation. It's a new type of malloc call named moz_xmalloc() which, when used in JavaScript, will not return a null value to the variable that calls it. A null value typically indicates that the memory allocation failed; and typically, JavaScript code tests the malloc call for failure before it proceeds to use a pointer to that memory.

Mozilla engineers said today that the new call will use a more aggressive memory location algorithm. In the context of the JavaScript application itself, it won't fail. However, in the context of the browser, it can...in which case, rather than open up the possibility for exploitation, Firefox will simply fail the entire application. With Mozilla's new memory model for Web apps, for the first time, Firefox will be able to fail a JavaScript Web app without bringing itself down with it.

A recent mockup of the likely default appearance of Firefox 4.0.  [Courtesy Mozilla]

Animation developers will be excited by the news that Firefox 4 will enable SVG patterns to be loaded as background images. Imagine a crisp, anti-aliased watermark behind your site's text that's scaled to fit your big-screen monitor or your smartphone browser (let's see how soon Mozilla passes this feature down to the test builds for Android). CSS transitions will enable sites to change certain elements of their style, such as text color and background colors, gradually from one set of style codes to another. Picture in your mind a blog with a daytime and a nighttime theme, where the background fades from light to dark like theater lights.

And yes, WebGL is coming -- the standard for GPU-processed 3D graphics over the Web, developed by the industry consortium Khronos Group whose leaders include Nvidia and Sony. It maps very closely with OpenGL ES, which Khronos also manages; and Mozilla plans to integrate it with Firefox's implementation of the HTML 5 canvas element. We're already seeing server-side rendering of 3D Flash games for the Web, but imagine PC games with rendering quality near that of discrete software, delivered over the Web. That could open up scenarios where MMORPG game servers could sign up subscribers instantly without them having to download installer packages or plug in DVD-ROMs, and game developers could enhance their universes gradually rather than in bulk releases.

WebM video is no longer a surprise, as Mozilla declared its support for built-in VP8 video the moment Google declared it would be open-sourced. Mozilla is being a little fuzzy with respect to whether WebM will be reliably working by the time of Firefox 4's release, although "pre-alpha" builds of Firefox 4 released internally do include WebM support. (We know VP8 video already works fine; what will need to be tested is the complete WebM multimedia package, including the Matroska media container and Vorbis audio codec, in conjunction with VP8 for Web servers deploying video explicitly as WebM for HTML 5.)

As Mozilla Corporation board member and Firefox contributor Christopher Blizzard told developers in a message last week, "At Mozilla, we've wanted video on the Web to move as fast as the rest of the web. That has required a baseline of open technology to build on. Theora was a good start, but VP8 is better. Expect us to start pushing on video innovation with vigor. We'll innovate like the Web has, moving from the edges in, with dozens of small revolutions that add up to something larger than the sum of those parts. VP8 is one of those pieces, HTML 5 is another...The Web is creeping into more and more technologies, with Firefox leading the way. We intend to keep leading the Web beyond HTML 5 to the next place it needs to be."

© 1998-2014 BetaNews, Inc. All Rights Reserved. Privacy Policy.