Cross Site Scripting (XSS) flaws are growing and Mozilla is now coming up with another attempt to try and stop them. It’s a new approach called Content Security Policy and its goal is to prevent XSS.
Firefox 3.x has been patched before for XSS and Firefox 3 itself was originally supposed to provide protection against XSS as well with a W3C specification called Cross site XMLHttpRequest (that didn’t make it into the final Firefox 3).
So now they’re trying again, with a new approach that will help to validate that code running in a browser is authorized.
Security Program Manager at Mozilla blogged. “
Only script included via a script tag pointing to a white-listed host will be treated as valid.”
There is also a plan to help mitigate clickjacking as part of CSP policy that will enable a site to specify which sites can embed a resource.