First Firefox demo for Content Security Policy
The Mozilla foundation has presented the first demonstration of its new Content Security Policy (CSP). CSP is expected to help prevent cross-site scripting attacks (XSS).
CSP allows web administrators to send a special header (X-Content-Security-Policy: allow 'self';) that tells the browser which domains it should accept as sources for trusted code. Standard XSS attacks sometimes exploit vulnerabilities in web applications to execute JavaScript in the browser with the rights of trusted domains.
With CSP, the browser will only execute scripts which originate from domains listed in a whitelist – everything else will be blocked. This allows administrators to specify their own script server for loading and executing scripts, for example. Attackers should then no longer be able to inject scripts into HTML files.
CSP only works in a specially prepared browser. The new Preview Build of Firefox supports this function. While this version does not yet support all specifications, it should suffice for an initial impression. At a special demo website, you can test whether and how CSP works. Brandon Sterne, Security Program Manager at Mozilla, says he looks forward to having a wide group of people take part in the first tests and to receiving their comments.
See also
- Mozilla's new security policy, a report from The H.
(crve)