Scan your site now

Security Report Summary
B
Site:
Scanned Site(s):
1
IP Address:
104.16.142.228
Report Time:
03 Jun 2020 11:34:45 UTC
Checks:
Iframe Sandboxing
Crossorigin
Integrity
Link Referrer
Link Opener
Unsafe Resource
Password Pattern
Unsafe Meta
Csrf Tokens
Enabled Debugging
Warning:
Please have a look at the security issues / warnings in the report.
Security Issues
Crossorigin
The crossorigin="anonymous" attribute should always be added to external ressources so no user credentials are transmitted. By loading external files with a GET request, http user credentials are exchanged by default. If the source host is corrupted, an attacker could these details for attacks.
  • <link href="https://cdn-3.convertexperiments.com/" rel="dns-prefetch"></link>[https://www.mozilla.org/en-US/exp/]
  • <img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.koin.com%2Fwp-content%2Fuploads%2Fsites%2F10%2F2019%2F11%2FKOIN-Nov-2019-app-icon-45x45.jpg&resize=w450"></img>[https://www.mozilla.org/en-US/exp/]
  • <img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F12000%2F1%2A0ikn7nusb7xxxP4FwambRQ.jpeg&resize=w450"></img>[https://www.mozilla.org/en-US/exp/]
  • <img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F5654%2F1%2AMUMY0FrDQm9SRmB-0XOWhw.jpeg&resize=w450"></img>[https://www.mozilla.org/en-US/exp/]
  • <img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.washingtonpost.com%2Fresizer%2FW0kbOn4VIIijdUkIAdUZeQmpDV0%3D%2F480x320%2Fd1i4t8bqe7zgj6.cloudfront.net%2F05-13-2020%2Ft_5ebdf1fe2eec4cf7b0f3bd29849cd6f2_name_Screen_Shot_2020_05_13_at_1_43_48_PM_scaled.jpg&resize=w450"></img>[https://www.mozilla.org/en-US/exp/]
Integrity
The integrity="sha256-..." attribute should always be added to external file hosted on another domain, because an unexpected manipulation / corruption of the code can lead to session hijacking or similar script releated attacks.
  • <link href="https://cdn-3.convertexperiments.com/" rel="dns-prefetch"></link>[https://www.mozilla.org/en-US/exp/]
  • <img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.koin.com%2Fwp-content%2Fuploads%2Fsites%2F10%2F2019%2F11%2FKOIN-Nov-2019-app-icon-45x45.jpg&resize=w450"></img>[https://www.mozilla.org/en-US/exp/]
  • <img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F12000%2F1%2A0ikn7nusb7xxxP4FwambRQ.jpeg&resize=w450"></img>[https://www.mozilla.org/en-US/exp/]
  • <img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F5654%2F1%2AMUMY0FrDQm9SRmB-0XOWhw.jpeg&resize=w450"></img>[https://www.mozilla.org/en-US/exp/]
  • <img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.washingtonpost.com%2Fresizer%2FW0kbOn4VIIijdUkIAdUZeQmpDV0%3D%2F480x320%2Fd1i4t8bqe7zgj6.cloudfront.net%2F05-13-2020%2Ft_5ebdf1fe2eec4cf7b0f3bd29849cd6f2_name_Screen_Shot_2020_05_13_at_1_43_48_PM_scaled.jpg&resize=w450"></img>[https://www.mozilla.org/en-US/exp/]
Link Referrer
The rel="noreferrer" attribute should always be added to external links to prevent reverse tabnabbing for older browser, which do not support the rel="noopener" attribute and to prevent phishing attacks.
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org">Android</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926">iOS</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org">Android</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926">iOS</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button mzp-t-secondary mzp-t-small mzp-c-button mzp-t-product" data-display-name="Android" data-download-location="nav" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org"> <strong class="download-title"> Download Firefox </strong> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button mzp-t-secondary mzp-t-small mzp-c-button mzp-t-product" data-display-name="iOS" data-download-location="nav" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926"> <strong class="download-title"> Download Firefox </strong> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="js-fxa-cta-link mzp-c-button mzp-t-product mzp-t-secondary mzp-t-small c-navigation-fxa-cta" data-action="https://accounts.firefox.com/" data-alt-href="/en-US/firefox/accounts/" data-cta-position="navigation" data-cta-text="Get a Firefox Account" data-cta-type="fxa-sync" data-mozillaonline-action="https://accounts.firefox.com.cn/" data-mozillaonline-link="https://accounts.firefox.com.cn/signup?entrypoint=mozilla.org-globalnav&form_type=button&utm_source=mozilla.org-globalnav&utm_medium=referral&utm_campaign=navigation&utm_content=get-firefox-account" href="https://accounts.firefox.com/signup?entrypoint=mozilla.org-globalnav&form_type=button&utm_source=mozilla.org-globalnav&utm_medium=referral&utm_campaign=navigation&utm_content=get-firefox-account">Get a Firefox Account</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-menu-item-link" data-link-group="firefox" data-link-name="Pocket by Firefox" data-link-position="topnav" data-link-type="nav" href="https://getpocket.com/firefox_learnmore/?utm_source=www.mozilla.org&utm_medium=referral&utm_campaign=nav&utm_content=firefox"> <svg class="mzp-c-menu-item-icon" height="22" width="24" xmlns="http://www.w3.org/2000/svg"><path d="M12 21.5c-6.627 0-12-5.373-12-12v-6a3 3 0 0 1 3-3h18a3 3 0 0 1 3 3v6c0 6.627-5.373 12-12 12zm5.977-15.048a1.485 1.485 0 0 0-1.087.479l-4.923 4.924-4.835-4.851A1.476 1.476 0 0 0 6 6.452a1.5 1.5 0 0 0-1.071 2.55l-.024.016 4.94 4.96 1.06 1.06a1.5 1.5 0 0 0 2.121 0l1.06-1.06 4.964-4.96a1.5 1.5 0 0 0-1.073-2.566z" fill="#FF4056" fill-rule="nonzero"></path></svg><h4 class="mzp-c-menu-item-title">Pocket</h4> <p class="mzp-c-menu-item-desc">Save content. Absorb knowledge.</p> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-menu-item-link" data-link-group="firefox" data-link-name="Firefox for Fire TV" data-link-position="topnav" data-link-type="nav" href="https://www.amazon.com/Mozilla-Firefox-for-Fire-TV/dp/B078B5YMPD"> <svg class="mzp-c-menu-item-icon" height="24" width="24" xmlns="http://www.w3.org/2000/svg"><path d="M3 3h18a3 3 0 0 1 3 3v12a3 3 0 0 1-3 3H3a3 3 0 0 1-3-3V6a3 3 0 0 1 3-3zm0 2a1 1 0 0 0-1 1v12a1 1 0 0 0 1 1h18a1 1 0 0 0 1-1V6a1 1 0 0 0-1-1H3zm13.496 6.132a1 1 0 0 1 0 1.736l-7 4A1 1 0 0 1 8 16V8a1 1 0 0 1 1.496-.868l7 4zM10 9.723v4.554L13.984 12 10 9.723z" fill="#000" fill-rule="nonzero"></path></svg><h4 class="mzp-c-menu-item-title">Firefox for Fire TV</h4> <p class="mzp-c-menu-item-desc">Watch videos and browse the internet on your Amazon Fire TV.</p> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-menu-item-link" data-link-group="projects" data-link-name="Hubs" data-link-position="topnav" data-link-type="nav" href="https://hubs.mozilla.com/?utm_source=www.mozilla.org&utm_medium=referral&utm_campaign=nav&utm_content=projects"> <svg class="mzp-c-menu-item-icon" height="24" width="24" xmlns="http://www.w3.org/2000/svg"><path d="M13 21.387l7.445-3.723A1 1 0 0 0 21 16.77V7.618l-8 4v9.769zm-2 .005v-9.774l-8-4v9.149c-.003.38.21.729.547.899L11 21.392zm8.759-15.39l-7.315-3.657a.999.999 0 0 0-.887 0L4.241 6.001 12 9.882l7.759-3.88zM13.335.555l8 4A3 3 0 0 1 23 7.24v9.53a3 3 0 0 1-1.663 2.684l-8 4a3 3 0 0 1-2.684 0L2.65 19.453A2.997 2.997 0 0 1 1 16.76V7.24a3 3 0 0 1 1.663-2.684L10.665.554a3 3 0 0 1 2.67 0z" fill="#000" fill-rule="nonzero"></path></svg><h4 class="mzp-c-menu-item-title">Hubs</h4> <p class="mzp-c-menu-item-desc">Meet people in experimental Mixed Reality chatrooms with Firefox.</p> </a>[https://www.mozilla.org/en-US/exp/]
  • <a aria-controls="mzp-c-menu-panel-developers" aria-haspopup="true" class="mzp-c-menu-title" href="https://developer.mozilla.com/">Developers</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-menu-item-link" data-link-group="developers" data-link-name="Developer Innovations" data-link-position="topnav" data-link-type="nav" href="https://developer.mozilla.com/?utm_source=www.mozilla.org&utm_medium=referral&utm_campaign=nav&utm_content=developers"> <svg class="mzp-c-menu-item-icon" height="24" width="24" xmlns="http://www.w3.org/2000/svg"><path d="M2.382 8H1a1 1 0 0 1-.857-1.514C3.013 1.7 7.079-.154 11.403.512 14.755 1.028 18 3.19 18 5c0 .83.097.955.98 1.286.349.13 2.105.688 2.336.765 1.888.63 2.548 2.23 2.165 4.145-.262 1.308-1.04 2.777-1.774 3.511-.901.902-1.592.902-3.377.49-.611-.141-.957-.197-1.33-.197-2.657 0-4 2.15-4 7a1 1 0 0 1-1 1c-2.897 0-5.77-1.077-8.6-3.2a1 1 0 0 1-.294-1.247L4.382 16H3a1 1 0 0 1-.894-1.447L3.382 12H2a1 1 0 0 1-.894-1.447L2.382 8zm8.64 12.95C11.255 15.803 13.239 13 17 13c.564 0 1.03.075 1.78.248 1.103.254 1.303.254 1.513.045.453-.453 1.042-1.565 1.226-2.49.204-1.017-.03-1.586-.835-1.854-.186-.062-2.001-.639-2.405-.79C16.652 7.549 16 6.71 16 5c0-.524-2.406-2.128-4.902-2.512-3.051-.47-5.905.58-8.204 3.512H4a1 1 0 0 1 .894 1.447L3.618 10H5a1 1 0 0 1 .894 1.447L4.618 14H6a1 1 0 0 1 .894 1.447l-1.618 3.237c1.937 1.324 3.85 2.075 5.747 2.267z" fill="#000" fill-rule="nonzero"></path></svg><h4 class="mzp-c-menu-item-title">Developer Innovations</h4> <p class="mzp-c-menu-item-desc">Projects that help keep the internet open and accessible for all.</p> </a>[https://www.mozilla.org/en-US/exp/]
  • <a data-link-group="developers" data-link-name="Firefox Playground" data-link-position="subnav" data-link-type="nav" href="https://mozilladevelopers.github.io/playground/?utm_source=www.mozilla.org&utm_medium=referral&utm_campaign=nav&utm_content=developers">Firefox Playground</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org">Android</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926">iOS</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org">Android</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926">iOS</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-display-name="Android" data-download-location="primary cta" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org"> <strong class="download-title"> <span>Firefox</span> for Android </strong> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-display-name="iOS" data-download-location="primary cta" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926"> <strong class="download-title"> <span>Firefox</span> for iOS </strong> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-card-block-link" data-card-tag="Pocket" data-link-group="card" data-link-name="Discover the best reads" data-link-type="link" href="https://blog.getpocket.com/?utm_source=www.mozilla.org&utm_medium=referral&utm_campaign=homepage&utm_content=card"> <div class="mzp-c-card-media-wrapper"> <div class="lazy-image-container"><img alt="" class="mzp-c-card-image" data-src="https://www.mozilla.org/media/contentcards/img/home-2019/card_1/reads.9b652ec5bff6.png" data-srcset="https://www.mozilla.org/media/contentcards/img/home-2019/card_1/reads-high-res.498adb3b0d3e.png 2x" src="https://www.mozilla.org/media/img/placeholder.71a50dbba44c.png"></img><noscript><img alt="" class="mzp-c-card-image" data-srcset="https://www.mozilla.org/media/contentcards/img/home-2019/card_1/reads-high-res.498adb3b0d3e.png 2x" src="https://www.mozilla.org/media/contentcards/img/home-2019/card_1/reads.9b652ec5bff6.png"></img></noscript></div> </div> <div class="mzp-c-card-content"> <div class="mzp-c-card-tag">Pocket</div> <h2 class="mzp-c-card-title"><span>Discover the best reads</span></h2> <p class="mzp-c-card-desc">Pocket has the best new perspectives, hidden gems, fascinating deep-dives and timeless classics any time you want a break.</p> </div> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-card-block-link" data-card-tag="Emerging Technologies" data-link-group="card" data-link-name="Hubs by Mozilla" data-link-type="link" href="https://hubs.mozilla.com/?utm_source=www.mozilla.org&utm_medium=referral&utm_campaign=homepage&utm_content=card"> <div class="mzp-c-card-media-wrapper"> <div class="lazy-image-container"><img alt="" class="mzp-c-card-image" data-src="https://www.mozilla.org/media/contentcards/img/home-2019/card_7/hubs.a4dd948f9884.jpg" data-srcset="https://www.mozilla.org/media/contentcards/img/home-2019/card_7/hubs-high-res.6644f2e2210d.jpg 2x" src="https://www.mozilla.org/media/img/placeholder.71a50dbba44c.png"></img><noscript><img alt="" class="mzp-c-card-image" data-srcset="https://www.mozilla.org/media/contentcards/img/home-2019/card_7/hubs-high-res.6644f2e2210d.jpg 2x" src="https://www.mozilla.org/media/contentcards/img/home-2019/card_7/hubs.a4dd948f9884.jpg"></img></noscript></div> </div> <div class="mzp-c-card-content"> <div class="mzp-c-card-tag">Emerging Technologies</div> <h2 class="mzp-c-card-title"><span>Hubs by Mozilla</span></h2> <p class="mzp-c-card-desc">Share a virtual room with friends. Watch videos, play with 3D objects, or just hang out.</p> </div> </a>[https://www.mozilla.org/en-US/exp/]
  • <a href="https://getpocket.com/@MozillaHQ">Subscribe</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-card-block-link" data-card-tag="koin.com" data-link-group="card" data-link-name="Pocket Link 1" data-link-type="link" href="https://www.koin.com/am-extra/monitoring-cyber-security-while-working-remotely/"> <div class="mzp-c-card-media-wrapper"> <div class="lazy-image-container"><img alt="" class="mzp-c-card-image" data-src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.koin.com%2Fwp-content%2Fuploads%2Fsites%2F10%2F2019%2F11%2FKOIN-Nov-2019-app-icon-45x45.jpg&resize=w450" src="https://www.mozilla.org/media/img/placeholder.71a50dbba44c.png"></img><noscript><img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.koin.com%2Fwp-content%2Fuploads%2Fsites%2F10%2F2019%2F11%2FKOIN-Nov-2019-app-icon-45x45.jpg&resize=w450"></img></noscript></div> </div> <div class="mzp-c-card-content"> <div class="mzp-c-card-tag">koin.com</div> <h2 class="mzp-c-card-title"><span>Monitoring cyber security while working remotely</span></h2> </div> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-card-block-link" data-card-tag="medium.com" data-link-group="card" data-link-name="Pocket Link 2" data-link-type="link" href="https://medium.com/authority-magazine/how-mozillas-lindsey-shepard-tackles-the-extreme-work-life-balance-of-being-a-woman-in-stem-during-9c5b4b30fcbf"> <div class="mzp-c-card-media-wrapper"> <div class="lazy-image-container"><img alt="" class="mzp-c-card-image" data-src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F12000%2F1%2A0ikn7nusb7xxxP4FwambRQ.jpeg&resize=w450" src="https://www.mozilla.org/media/img/placeholder.71a50dbba44c.png"></img><noscript><img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F12000%2F1%2A0ikn7nusb7xxxP4FwambRQ.jpeg&resize=w450"></img></noscript></div> </div> <div class="mzp-c-card-content"> <div class="mzp-c-card-tag">medium.com</div> <h2 class="mzp-c-card-title"><span>How Mozilla’s Lindsey Shepard tackles the extreme work life balance of being a woman in STEM during COVID-19</span></h2> </div> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-card-block-link" data-card-tag="medium.com" data-link-group="card" data-link-name="Pocket Link 3" data-link-type="link" href="https://medium.com/authority-magazine/how-firefox-vp-selena-deckelmann-tackles-the-extreme-work-life-balance-of-being-a-woman-in-stem-b42525f715af"> <div class="mzp-c-card-media-wrapper"> <div class="lazy-image-container"><img alt="" class="mzp-c-card-image" data-src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F5654%2F1%2AMUMY0FrDQm9SRmB-0XOWhw.jpeg&resize=w450" src="https://www.mozilla.org/media/img/placeholder.71a50dbba44c.png"></img><noscript><img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fmiro.medium.com%2Fmax%2F5654%2F1%2AMUMY0FrDQm9SRmB-0XOWhw.jpeg&resize=w450"></img></noscript></div> </div> <div class="mzp-c-card-content"> <div class="mzp-c-card-tag">medium.com</div> <h2 class="mzp-c-card-title"><span>How Firefox VP Selena Deckelmann tackles the extreme work life balance of being a woman in STEM during COVID-19</span></h2> </div> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-card-block-link" data-card-tag="washingtonpost.com" data-link-group="card" data-link-name="Pocket Link 4" data-link-type="link" href="https://www.washingtonpost.com/washington-post-live-the-path-forward-privacy-and-the-pandemic/"> <div class="mzp-c-card-media-wrapper"> <div class="lazy-image-container"><img alt="" class="mzp-c-card-image" data-src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.washingtonpost.com%2Fresizer%2FW0kbOn4VIIijdUkIAdUZeQmpDV0%3D%2F480x320%2Fd1i4t8bqe7zgj6.cloudfront.net%2F05-13-2020%2Ft_5ebdf1fe2eec4cf7b0f3bd29849cd6f2_name_Screen_Shot_2020_05_13_at_1_43_48_PM_scaled.jpg&resize=w450" src="https://www.mozilla.org/media/img/placeholder.71a50dbba44c.png"></img><noscript><img alt="" class="mzp-c-card-image" src="https://img-getpocket.cdn.mozilla.net/direct?url=https%3A%2F%2Fwww.washingtonpost.com%2Fresizer%2FW0kbOn4VIIijdUkIAdUZeQmpDV0%3D%2F480x320%2Fd1i4t8bqe7zgj6.cloudfront.net%2F05-13-2020%2Ft_5ebdf1fe2eec4cf7b0f3bd29849cd6f2_name_Screen_Shot_2020_05_13_at_1_43_48_PM_scaled.jpg&resize=w450"></img></noscript></div> </div> <div class="mzp-c-card-content"> <div class="mzp-c-card-tag">washingtonpost.com</div> <h2 class="mzp-c-card-title"><span>The Path Forward: Privacy & the Pandemic</span></h2> </div> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="mzp-c-card-block-link" data-card-tag="Developers" data-link-group="card" data-link-name="Browse our developer tools" data-link-type="link" href="https://developer.mozilla.com/?utm_source=www.mozilla.org&utm_medium=referral&utm_campaign=homepage&utm_content=card"> <div class="mzp-c-card-media-wrapper"> <div class="lazy-image-container"><img alt="" class="mzp-c-card-image" data-src="https://www.mozilla.org/media/contentcards/img/home-2019/card_11/dev.e52f8c52f2a7.jpg" data-srcset="https://www.mozilla.org/media/contentcards/img/home-2019/card_11/dev-high-res.231b9c104561.jpg 2x" src="https://www.mozilla.org/media/img/placeholder.71a50dbba44c.png"></img><noscript><img alt="" class="mzp-c-card-image" data-srcset="https://www.mozilla.org/media/contentcards/img/home-2019/card_11/dev-high-res.231b9c104561.jpg 2x" src="https://www.mozilla.org/media/contentcards/img/home-2019/card_11/dev.e52f8c52f2a7.jpg"></img></noscript></div> </div> <div class="mzp-c-card-content"> <div class="mzp-c-card-tag">Developers</div> <h2 class="mzp-c-card-title"><span>Browse our developer tools</span></h2> <p class="mzp-c-card-desc">Get tools, resources, videos and more to develop high quality, compatible web experiences.</p> </div> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org">Android</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926">iOS</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org">Android</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926">iOS</a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-display-name="Android" data-download-location="secondary cta" data-download-os="Android" data-download-version="android" data-link-type="download" href="https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dmozilla%26utm_medium%3DReferral%26utm_campaign%3Dmozilla-org"> <strong class="download-title"> <span>Firefox</span> for Android </strong> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="download-link button button-green mzp-c-button mzp-t-product" data-display-name="iOS" data-download-location="secondary cta" data-download-os="iOS" data-download-version="ios" data-link-type="download" href="https://itunes.apple.com/us/app/firefox-private-safe-browser/id989804926"> <strong class="download-title"> <span>Firefox</span> for iOS </strong> </a>[https://www.mozilla.org/en-US/exp/]
  • <a class="twitter" data-link-name="Twitter (@mozilla)" data-link-type="footer" href="https://twitter.com/mozilla">Twitter<span> (@mozilla)</span></a>[https://www.mozilla.org/en-US/exp/]
  • <a class="instagram" data-link-name="Instagram (@mozilla)" data-link-type="footer" href="https://www.instagram.com/mozilla/">Instagram<span> (@mozilla)</span></a>[https://www.mozilla.org/en-US/exp/]
Additional Information
Iframe Sandboxing
The sandbox="" attribute should always be added to iframes with untrusted or third-party sources. The attribute enables different types of iframe content restrictions like script or form execution.
Crossorigin
The crossorigin="anonymous" attribute should always be added to external ressources so no user credentials are transmitted. By loading external files with a GET request, http user credentials are exchanged by default. If the source host is corrupted, an attacker could these details for attacks.
Integrity
The integrity="sha256-..." attribute should always be added to external file hosted on another domain, because an unexpected manipulation / corruption of the code can lead to session hijacking or similar script releated attacks.
Link Opener
The rel="noopener" attribute should always be added to external links, which open in a new tab, to reduce the risk of reverse tabnabbing. Otherwise javascript on the new page has full control over the previous visited page, including permission to change the DOM object and possibly steal session cookies.
Link Referrer
The rel="noreferrer" attribute should always be added to external links to prevent reverse tabnabbing for older browser, which do not support the rel="noopener" attribute and to prevent phishing attacks.
Unsafe Resource
If a resource is loaded over src="http://...", it may not be transmitted over the TLS protocol. In case the webpage is loaded over HTTPS, this results in a mixed content situation where the page is securely loaded but has unencrypted resources embedded. This will often lead to a mixed-content browser warning, but at the time this is reported, it is most likely to late and the attack could have already succeeded.
Password Pattern
The pattern="..." attribute should always be added to password fields, since a client-side password strength can not be enforced by JavaScript, if the user has disabled scripts in his browser. Make sure to perform a second check at sever-side.
Unsafe Meta
The <meta name="generator" content="WordPress x.x"></meta> and the <meta content="deny" http-equiv="X-Frame-Options"></meta> meta-tags should always be removed from the html body since the generator tag provides critical informations about the used CMS and the X-Frame-Options must be specified as HTTP Headers and not as a meta tag. Most browser will ignore the meta tag, which can lead to unintended misbehaviour.
Csrf Tokens
Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website where unauthorized commands are transmitted from a authenticated user on the web application. One way of performing such an attack is to observe the HTML code of a website for session tokens like in <input> tags, which should never be stored inside of the HTML-document.
Enabled Debugging
If the debugging is enabled on a production server, it may give an agressor valuable informations about the inner structure of a web application. These can be used to find vulnerabilities for injections or other type of attacks. Therefore, debugging should always be disabled.
Scanned URL(s)
Internet for people, not profit — Mozilla