Mozilla's new security policy

In an article on its security blog, the Mozilla Foundation has presented a new security policy – known as content security policy (CSP) – intended to guard against the epidemic of cross-site scripting attacks (XSS) and other vulnerabilities. This allows web administrators, by sending special headers, to tell the browser which domains it should accept as sources for trusted code. Standard XSS attacks sometimes utilise vulnerabilities in web applications in order to execute JavaScript in the browser with the rights of trusted domains.

With CSP, the browser will only execute scripts which originate from domains listed in a white-list – everything else will be blocked. This allows administrators to, for example, specify their own script server for loading and executing scripts. This should mean that it is no longer possible for attackers to inject scripts into HTML files.

With CSP, even JavaScript embedded within a page will by default no longer be executed. Websites will even be able to tell the browser to completely disable execution of JavaScript from their context. This may be useful on sites which don't use any scripts.

CSP should nonetheless be fully backwards-compatible. If a website does not include a CSP header, the browser will revert to the same origin policy. Browsers which do not support CSP will simply ignore the extra header. CSP should also offer some protection against clickjacking and automatically redirect from HTTP pages to HTTPS pages where the latter are available.

Google is also currently looking at delivering its pages over HTTPS by default to improve security and prevent eavesdropping. However, Mozilla Security Program Manager Brandon Sterne does not reveal when we can expect to see CSP implemented in Mozilla products.

(djwm)