Web talks at Mozilla

Save the date! The Mozilla Meetup series continues with talks focused on modern web technologies.

To account for typical no-show rates, we’ve opened more RSVP spots than we can physically accommodate. Based on our last event, only about 36 of 100 registered participants (including Mozillians) attended in person. We will admit attendees on a first-come, first-served basis and will need to close the doors once we reach room capacity (around 50 people).

Note that this event operates under the Mozilla Community Participation Guidelines.

18:00 - Doors open

18:30 - Keep Off My LAN: Firefox's Implementation of Local Network Access

In June 2025, researchers exposed Local Mess — a tracking vulnerability where Meta Pixel and Yandex Metrica scripts abused localhost access to silently track millions of Android users across the web. The web platform had a long-standing hole, and Firefox moved quickly to help close it.
This talk presents Local Network Access (LNA), the emerging standard that finally tackles these threats along with a backlog of security vulnerabilities tied to localhost and local network devices. It walks through the specification, Firefox's implementation, and the real-world deployment challenges encountered along the way and how they were mitigated.
Beyond the "what," this talk opens up a conversation. As LNA is still taking shape in the WICG, it's a chance for people building in the local network and localhost space — and for the adblocker and anti-tracking community, especially those running DNS-based blockers (Pi-hole, AdGuard Home, and similar) — to surface edge cases, breakage, and threat models that should be designed for. Anyone running services on localhost / local network, or operating local DNS-based tracking protection, is invited to share what LNA needs to get right.

About the speaker: Sunil Mayya is a software engineer on Mozilla's Firefox Networking team, based in Nuremberg, and a core contributor to Firefox's implementation of the Local Network Access standard.

19:30 - The Devil is in the Defaults - what to do about XSS

This session is about latest defenses against Cross-Site Scritping (XSS), the most prevalent security issue of all times. We will showcase typical XSS bugs and how they can be avoided. We will also explain why previous mechanisms fall short of protecting web sites at scale and why we believe Trusted Types and the Sanitizer API can help closing this gap.
The presentation will also give hands-on advice to enable security and development teams adopting these new protections. We will close with a bit on security considerations and remaining risks.

About the speaker: Frederik Braun is a security engineer and manager working on Firefox.