Twitter integrates Firefox 4 security feature

Twitter has made its mobile site compatible with an anti-cross-site-scripting feature in Firefox 4.

Mozilla developed a standard for Firefox 4 called Content Security Policy (CSP) which aims to stop cross-site-scripting (XSS) attacks when they execute on the browser.

Twitter has implemented CSP on its mobile.twitter.com site for Firefox 4 users, the company said in a blog post on Tuesday.

"Over the next couple of months we plan to implement a Content Security Policy across more of Twitter, and we encourage you to request support for this standard in your preferred browser," said the company.

As typical XSS attacks inject JavaScript into a web page, CSP ignores inline JavaScript — ie JavaScript embedded in HTML code. In addition, CSP only loads web page external assets from a set of whitelisted sites, said Twitter.

"Allowing sites like Twitter to disable inline JavaScript and whitelist external assets is a huge step towards neutralising XSS attacks," said Twitter. "However, for many sites it is not going to be as simple as flipping a switch. Most sites will require some work and you may need to alter a few third-party JavaScript libraries."

Twitter found that a number of internet service providers (ISPs) were altering image tags or inserting JavaScript to point users to the ISP's caching servers, prompting Twitter to mandate SSL encryption for Firefox 4 users.