Mozilla Content Security Policy takes aim at XSS

From the ‘making browsers safe‘ files:

Cross Site Scripting (XSS) flaws are growing and Mozilla is now coming up with another attempt to try and stop them. It’s a new approach called Content Security Policy and its goal is to prevent XSS.

Firefox 3.x has been patched before for XSS and Firefox 3 itself was originally supposed to provide protection against XSS as well with a W3C specification called Cross site XMLHttpRequest  (that didn’t make it into the final Firefox 3).

So now they’re trying again, with a new approach that will help to validate that code running in a browser is authorized.

“In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be 1) loaded from an external file, and 2) served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored,”Brandon Sterne
Security Program Manager at Mozilla blogged. “
Only script included via a script tag pointing to a white-listed host will be treated as valid.”

There is also a plan to help mitigate clickjacking as part of CSP policy that will enable a site to specify which sites can embed a resource.

News Around the Web