In June of this year, Mozilla announced a new security effort called Content Security Policy (CSP) to help prevent Cross Site Scripting (XSS) attacks. Now here we are three months later and the first previews of CSP are now available.
The basic idea with CSP is that it is an attempt to help to validate that code running in a browser is authorized.
Mozilla has also set up a demo page where developers can test to see if their pages are being properly accessed by CSP.
In my view, CSP puts, increased (but not unrealistic) additional
burden on web developers to put in additional code snippets for CSP
validation. Instead of just enabling open access for all, developers will now have to think about which sections of their web page code and which scripts should be authorized to run and where.
The new preview according to Mozilla isn’t quote done by they’re close.
“The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec,” Brandon Sterne
Security Program Manager at Mozilla blogged. “Most notably, HTTP redirects are not yet handled by CSP (but will be soon).”
Does this mean we’ll see CSP in Firefox 3.6?