Javascript Protection
Preventing Cross-site scripting (XSS) attacks on your passwords
With the option "Activate JavaScript protection on login" enabled, your login data will never be inserted in any form fields nor will the login form be submitted. Instead your credentials will be sent to the login page using internal Firefox methods.
This makes it impossible for any JavaScript embedded on the page (e.g. malicious JavaScript embedded through Cross-site scripting (XSS)) to intercept your passwords.
To make sure the login data is not send to a malicious website, manipulations of the login URL have to be prevented as well:
Preventing manipulations of the login URL
Firefox Password Manager stores the destination site for saved passwords.1
Secure Login - which relies on Firefox Password Manager - will only log you in if the destination site of the login form and the stored destination URL match.
Activate Javascript protection on login
You can enable this option via the context menu of the Secure Login icon:
or via the preferences dialog:
Javascript protection exceptions
Some websites require JavaScript for their login forms to work.
You can add such websites to a list of Exceptions:
The "Activate JavaScript protection on login" feature is ignored for all websites listed as Exceptions.
Does the Javascript Protection feature prevent all Cross-site scripting (XSS) attacks?
No - it can only prevent stealing your passwords during the login process.
With Cross-site scripting (XSS) attackers might for example read your session cookie. If the website does not use additional authentication measures (e.g. by verifying that your IP address is consistent throughout a session) the session cookie allows an attacker to takeover your session and gain full access to your account, without needing to know your password.
