Gecko Security Patches: Index
| From Firefox Privacy Engineering at Mozilla | |
| Gecko Security Patches | |
|---|---|
| Page metadata | |
| First created | May 26, 2026 |
| Last edited | May 26, 2026 |
Three security patches in Gecko, Firefox’s C++ rendering engine, written across the internship. Two are under Mozilla security embargo and the writeups are at the class-of-issue level until the bugs are de-restricted: a defensive range check in a browser-side compression decoder consuming server-pushed data on a trust boundary, and a fix to mark clipboard writes from private-browsing contexts as sensitive so the OS clipboard history does not archive them across devices. The third is the SmartBlock embed link preservation work, which extracts text and links out of blocked third-party embeds and re-renders them in-place with three layers of XSS defense.
Mozilla security work has a different shape from feature work. The bugs are restricted until the fix has shipped to release across all supported channels, which means the writeups here describe the class of bug rather than the specific surface or the specific input that triggers it. When the bugs are de-restricted, I will update each post with the Bugzilla and Phabricator links.
Patches
Defensive Range Checks in a Browser-Side Compression Decoder
Main article: Defensive Range Checks. Under Mozilla security embargo.
A topical explainer on parameter validation for binary decoders that consume server-pushed data on a trust boundary. Browsers ship a handful of small binary decoders for infrastructure data — small numbers with predictable distributions, compressed with schemes designed for that distribution. The post walks through three reasons why decoders on a trust boundary need explicit range checks even when the producer is well-known: the producer can be wrong, the boundary can move, and the decoder can be reused for inputs it was not originally designed to consume.
Marking Browser Clipboard Writes as Sensitive in Private Contexts
Main article: Clipboard Sensitivity in Private Contexts. Under Mozilla security embargo.
A topical explainer on a class of issue that emerges when browsers have many call sites that write to the clipboard, and each one is independently responsible for setting an OS-level “sensitive” flag that opts out of clipboard history archiving. macOS, Windows, and Linux all have some form of cross-device clipboard history; the flag exists for exactly this case. When a single call site forgets to set the flag, copies from private-browsing windows get archived by the OS, which partially defeats the point of private browsing. The post discusses the fragility of distributed responsibility and the shape of the fix.
Embed Link Preservation
Main article: Embed Link Preservation.
Bug 1976290. Firefox’s SmartBlock replaces tracker-blocked third-party embeds (Twitter, Instagram) with a click-to-load placeholder. For a tweet that’s text and a link, the actual content is sitting in the DOM as HTML attributes — it’s just not being rendered. This patch extracts the text and links and re-renders them inside the placeholder, so users see the content immediately and only need to click through if they want media. The embed HTML comes from an untrusted third party, so the patch uses three layers of defense: the Sanitizer API to neutralize script content, a strict allowlist on the extracted nodes (only <p>, <a> with rel="noopener noreferrer", plain text), and a CSP on the placeholder element that blocks inline scripts and external loads. Reviewers: manuel, webcompat-reviewers, twisniewski, freddyb (security review).
