Index: Security

Defensive hardening on browser trust boundaries: protocol decoders consuming server-pushed data, and disclosure surfaces between the browser and the operating system. Topical explainers only — no exploitation specifics.

A subset of my Firefox work touched code that sits on a trust boundary. Some of these boundaries face the network (binary decoders that parse server-pushed update payloads). Some face the operating system (clipboard writes from private windows that the OS may archive). The classes of bugs to worry about at each boundary are well-known: integer overflows and out-of-range reads at the parser layer; defaults that fail-open to disclosure at the OS-API layer.

On Mozilla security embargo. Two of the three posts below describe work tied to bugs that are currently in restricted security groups at Mozilla. Bugzilla refuses to even confirm those bugs exist to anyone outside the security group, and that’s by design — fixes ship to release before the bug is opened to the public, so users get protection before attackers get a roadmap. While embargo holds, those two posts intentionally do not link the Bugzilla bug, the Phabricator revision, the file path, or the specific algorithm. They describe the class of issue and the general shape of the defensive treatment. When the embargo lifts, I’ll backfill the specifics. The third post (Embed Link Preservation) was always public and is linked normally.

Articles

1. Defensive Range Checks in a Browser-Side Compression Decoder - (embargoed) Why browser-side decoders that consume server-pushed update payloads need explicit parameter validation, written at the class-of-issue level
2. Marking Browser Clipboard Writes as Sensitive in Private Contexts - (embargoed) Why a single clipboard call site that forgets the OS-level sensitive flag becomes a long-term disclosure surface, written at the class-of-issue level
3. Embed Link Preservation - Sanitizing untrusted third-party HTML for SmartBlock, with a security review by freddyb