After further consideration (and investigation,) we have decided that it may be necessary to take a rather larger change into 1.0.3 than we had planned. We've run into one of those "fix the root cause or patch around the symptoms" trade-offs and to prevent future security issues, we're leaning towards the "fix the root problem" fix.
The problem with "the right fix" is that it will probably break a number of extensions - we've already determined that features within DOM Inspector will break and need to be patched.
You can get the Windows build that includes this fix here. The Mac build is here. The Linux build is here.
If you're testing these builds, please set the javascript.options.showInConsole pref to true in about:config, run with your JavaScript Console open (Tools -> JavaScript Console,) and note any errors that come up, especially if and when an extension is failing.
I'm happy to see feedback here. If it's about a specific extension that broke between 1.0.2 and this 1.0.3 build, please note that (and the JS errors) at bug 289231. If it's more general in nature, or you don't have specific error reports, then fee free to post here at this blog or in mail to asa@mozilla.org. Also, if you crash, please submit talkback reports and include the crash report ID in your feedback.
Thanks for all your help so far. The sooner we can gather information on this change, the better it will be for our users' security, and our extensions and extension community. It's also worth noting that the extensions that could break from this change were probably a genuine security risk themselves and so this approach should lead to an overall more secure experience for all of our users.
