CSP: Thwarting cross-site scripting and click-jacking attacks
by Daniel Bachfeld
Content Security Policies are designed to prevent cross-site scripting and other attack types. Firefox 4 is the first browser to support this new concept.
By transmitting the frame-ancestor header parameter, a web server signals to the browser that a loaded page mustn't be opened in an iframe. This prevents click-jackers from including transparent iframes that trick users into clicking on invisible elements. Unlike the X-Frame-Options (XFO) header, an anti-click-jacking solution preferred by Microsoft, CSP allows a domain list to be included, which offers considerably more flexibility. The new header can also determine whether a browser is to load further content via HTTP or via HTTPS.
CSP is said to be fully backward compatible. If a web site doesn't send a CSP header, Firefox will simply fall back on the Same-Origin Policy. Browsers that don't support CSP will simply ignore the header. The Mozilla Foundation's Brendan Sterne, who is the master-mind behind CSP, has set up a test page that demonstrates the use of the various CSP parameters and options. CSP also allows admins to define a URI to which to send a message in case of a policy violation. This not only helps admins discover attacks, it also assists them with troubleshooting when making the switch.
In addition to Firefox, Thunderbird 3.3 and SeaMonkey 2.1 are soon planned to support CSP on the client side. Now, the only thing missing is that further browsers and web server operators adopt the new concept. Most browser developers previously implemented their own anti-XSS functions and counted on the X-Frame-Options header to prevent click-jacking attacks. However, this strategy found no acceptance with web site operators. One can only hope that CSP will be better received. Help with adapting, for instance, a custom content management system is available via plug-ins such as those for WordPress, Drupal and the Django web framework. (dab)