In association with heise online

02 October 2009, 16:01

First Firefox demo for Content Security Policy

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom Firefox passed all of the CSP tests on this demonstration page.
The Mozilla foundation has presented the first demonstration of its new Content Security Policy (CSP). CSP is expected to help prevent cross-site scripting attacks (XSS).

CSP allows web administrators to send a special header (X-Content-Security-Policy: allow 'self';) that tells the browser which domains it should accept as sources for trusted code. Standard XSS attacks sometimes exploit vulnerabilities in web applications to execute JavaScript in the browser with the rights of trusted domains.

With CSP, the browser will only execute scripts which originate from domains listed in a whitelist – everything else will be blocked. This allows administrators to specify their own script server for loading and executing scripts, for example. Attackers should then no longer be able to inject scripts into HTML files.

CSP only works in a specially prepared browser. The new Preview Build of Firefox supports this function. While this version does not yet support all specifications, it should suffice for an initial impression. At a special demo website, you can test whether and how CSP works. Brandon Sterne, Security Program Manager at Mozilla, says he looks forward to having a wide group of people take part in the first tests and to receiving their comments.

See also


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit