mozilla/gecko-dev
Security
Firefox's security model is layered: process sandboxing, the same-origin policy enforced via principals, content security via CSP/MixedContent/COOP-COEP, TLS via NSS, anti-tracking via ETP/Fission, and a substantial amount of static-analysis tooling.
Trust boundaries
graph TD
Internet[Internet] -->|TLS, channels| Net[netwerk + NSS]
Net -->|sandboxed| Socket[Socket process]
Net -->|principal-tagged data| Content[Content process<br/>sandboxed]
Content -->|IPC| Parent[Parent process<br/>(privileged)]
Parent -->|spawn + sandbox| Content
Parent -->|spawn + sandbox| GPU[GPU process]
Parent -->|spawn + sandbox| RDD[RDD process]
Parent -->|spawn + sandbox| Utility[Utility processes]
User[User] -->|UI| ParentEvery cross-boundary message carries a principal (or is from a known privileged source); every boundary is enforced by an OS sandbox.
Subsystems
- Sandboxing (
security/sandbox/) — see features/sandboxing.md. - NSS (
security/nss/) — TLS, X.509, crypto. Mozilla's own library, also used by Red Hat / SUSE. - PSM (
security/manager/) — Personal Security Manager: the Gecko-side glue around NSS. Includes the cert verifier, mitm detection, OneCRL. - Content security (
dom/security/) — CSP, Mixed Content blocker, Referrer Policy, COOP/COEP, Cross-Origin-Resource-Policy, Sec-Fetch-* headers. - Permissions (
dom/permission/,extensions/permissions/) — geolocation, camera, microphone, notifications. - Principal / OriginAttributes (
caps/) — see primitives/principal.md. - MLS (
security/mls/,dom/mls/) — Messaging Layer Security primitives (Rust-based gatekeeper). - Trust anchors (
security/manager/ssl/trust_anchors/) — Mozilla's CA bundle, distributed via the Mozilla Root Program.
Anti-exploit hardening
- W^X memory in the JIT.
- CFI / CET on supported platforms.
- Stack canaries, ASLR.
- Read-only pages for sensitive structures (
mozglue/baseprofiler,mfbt/MemoryChecking.h). - The "Win32k Lockdown" project on Windows — content processes can no longer call user32/gdi32.
Static analysis
- The static-analysis annotations (
MOZ_CAN_RUN_SCRIPT,MOZ_KNOWN_LIVE,MOZ_NO_ADDREF_RELEASE_ON_RETURN, …) are enforced by clang plugins underbuild/clang-plugin/. - Clang-tidy checks under
tools/clang-tidy/. - Coverity, SOAP fuzzing, and OSS-Fuzz integration produce additional findings.
Reporting issues
Security bugs should go to security@mozilla.org (PGP-encrypted preferred). See SECURITY.md.
Related
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.