Mozilla's security engineers are working on new technology that promises to mitigate a large class of Web application vulnerabilities, especially the cross-site scripting (XSS) plague against modern Web browsers.
The project, called Content Security Policy, is designed to shut down XSS attacks by providing a mechanism for sites to explicitly tell the browser which content is legitimate. It can also help mitigate clickjacking and packet sniffing attacks.
Here's how Content Security Policy can provide a way for server administrators to reduce or eliminate their XSS attack surface.
- Website administrators specify which domains the browser should treat as valid sources of script.
- The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.
- Note: event-handling is still enabled in CSP without using HTML attributes.
To combat clickjacking, which allows cicks on one Web page to actually apply to clicks on another page that’s invisible to the end user, Mozilla said Content Security Policy allows a site to specify which sites may embed a resource.
The open-source group said Content Security Policy will be fully backward compatible and will not affect sites or browsers which don't support it.