From the
‘
making browsers safe
‘
files:
Cross Site Scripting (XSS) flaws are growing and Mozilla is now coming up with another attempt to try and stop them. It’s a new approach called Content Security Policy and its goal is to prevent XSS.
Firefox 3.x has been patched before for XSS and Firefox 3 itself was originally supposed to provide protection against XSS as well with a W3C specification called Cross site XMLHttpRequest (that didn’t make it into the final Firefox 3).
So now they’re trying again, with a new approach that will help to validate that code running in a browser is authorized.
“In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be 1) loaded from an external file, and 2) served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored,”Brandon Sterne
Security Program Manager at Mozilla blogged. “
Only script included via a script tag pointing to a white-listed host will be treated as valid.”
There is also a plan to help mitigate clickjacking as part of CSP policy that will enable a site to specify which sites can embed a resource.