Open-Source Wikis

/

Gecko

/

Security

mozilla/gecko-dev

Security

Firefox's security model is layered: process sandboxing, the same-origin policy enforced via principals, content security via CSP/MixedContent/COOP-COEP, TLS via NSS, anti-tracking via ETP/Fission, and a substantial amount of static-analysis tooling.

Trust boundaries

graph TD
    Internet[Internet] -->|TLS, channels| Net[netwerk + NSS]
    Net -->|sandboxed| Socket[Socket process]
    Net -->|principal-tagged data| Content[Content process<br/>sandboxed]
    Content -->|IPC| Parent[Parent process<br/>(privileged)]
    Parent -->|spawn + sandbox| Content
    Parent -->|spawn + sandbox| GPU[GPU process]
    Parent -->|spawn + sandbox| RDD[RDD process]
    Parent -->|spawn + sandbox| Utility[Utility processes]
    User[User] -->|UI| Parent

Every cross-boundary message carries a principal (or is from a known privileged source); every boundary is enforced by an OS sandbox.

Subsystems

Anti-exploit hardening

  • W^X memory in the JIT.
  • CFI / CET on supported platforms.
  • Stack canaries, ASLR.
  • Read-only pages for sensitive structures (mozglue/baseprofiler, mfbt/MemoryChecking.h).
  • The "Win32k Lockdown" project on Windows — content processes can no longer call user32/gdi32.

Static analysis

  • The static-analysis annotations (MOZ_CAN_RUN_SCRIPT, MOZ_KNOWN_LIVE, MOZ_NO_ADDREF_RELEASE_ON_RETURN, …) are enforced by clang plugins under build/clang-plugin/.
  • Clang-tidy checks under tools/clang-tidy/.
  • Coverity, SOAP fuzzing, and OSS-Fuzz integration produce additional findings.

Reporting issues

Security bugs should go to security@mozilla.org (PGP-encrypted preferred). See SECURITY.md.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Security – Gecko wiki | Factory