Mozilla Aims At Cross-Site Scripting With FF3


Web 2.0 has enabled a broad array of Websites to be more engaging for users. It has also enabled a new and now very common attack, namely cross site scripting, commonly referred to as XSS attacks .


Mozilla is aiming to put an end to XSS attacks in its upcoming Firefox 3 browser. The Alpha 7 development release includes support for a new W3C working draft specification that is intended is secure XML over HTTP requests (often referred to as XHR) which are often the
culprit when it comes to XSS attacks. XHR is the backbone of Web 2.0 enabling a more dynamic web experience with remote data.


“Cross site XMLHttpRequest will enable web authors to more
easily and safely create Web mashups,” Mike Schroepfer,
Mozilla’s vice president of engineering, told internetnews.com.

“It is one of many advanced Web standards that we are
implementing in Firefox 3 and look forward to the world
adopting.”


The W3C working draft is officially titled, “Enabling Read
Access for Web Resources.” It’s intended to define a mechanism by which Web developers can safely provide cross-site Web resource access. The specification
will let developers define via an HTTP header or an XML
instruction which sites are allowed read-access and which
are not.


A typical XSS attack vector is one in which a malicious Web
site reads the credentials from another that a user has visited. The new specification could well serve to limit that type of attack though it is still incumbent upon Web
developers to be careful with their trusted data.


The W3C working draft warns that “user agents which
implement this specification should take care not to
expose other trusted data (cookies, HTTP header data)
inappropriately.”


Of course, it’s also wise to consider the source.


“Application authors should be aware that content
retrieved from another site is not itself trustable,” the
W3C working draft advises. “Authors should take care to
protect against exposing themselves to cross-site
scripting attacks by rendering or executing the retrieved
content directly without validation.”


In addition to the new XSS support in Firefox 3 Alpha 7,
Mozilla developers have also fixed some bugs and
implementation errors that cropped up in the Alpha 6 release, which came out in early July.

The latest release isn’t just about bug fixes and new feature support. Mozilla developers have actually dropped support for the SOAP  Web services messaging protocol, according to the official Alpha 7 release notes. (It still runs in Firefox 3, however.)


“The SOAP implementation dropped from Firefox 3 was only
available to extension authors, who have many other more
modern implementations to choose from,” Schroepfer
explained. “We are, in general, removing as much old code
from the core browser as possible to improve security,
reduce download size, and allow Web and extension authors
to choose the latest support libraries they need.”


Firefox 3 is Mozilla’s next generation browser and will be
the successor to the current 2.x browser. The open source
group has been working on Firefox 3 (code name Gran
Paradiso) since October of 2006 when the first Firefox 3 alpha appeared.


At the time the Alpha 6 browser was released, Mozilla had
projected that the Beta 1 release would be out by July 31.
That obviously didn’t happen.


“A firm date for Beta 1 has not yet been set,” Schroepfer
said. “We are shipping milestones every 6 weeks (next up is Milestone 8) and when the quality of the milestones are ready for broad use we’ll ship Beta1.”

News Around the Web