Mozilla tackles XSS vulnerabilities with new technology

Mozilla tackles XSS vulnerabilities with new technology

Summary: Mozilla's security engineers are working on new technology that promises to mitigate a large class of Web application vulnerabilities, especially the cross-site scripting (XSS) plague against modern Web browsers.The project, called Content Security Policy, is designed to shut down XSS attacks by providing a mechanism for sites to explicitly tell the browser which content is legitimate.

SHARE:
TOPICS: Security, Browser
11

Mozilla's security engineers are working on new technology that promises to mitigate a large class of Web application vulnerabilities, especially the cross-site scripting (XSS) plague against modern Web browsers.

The project, called Content Security Policy, is designed to shut down XSS attacks by providing a mechanism for sites to explicitly tell the browser which content is legitimate. It can also help mitigate clickjacking and packet sniffing attacks.

[ SEE: Webcam hijack demo highlights clickjacking threat ]

Here's how Content Security Policy can provide a way for server administrators to reduce or eliminate their XSS attack surface.

  1. Website administrators specify which domains the browser should treat as valid sources of script.
  2. The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.

    • Note: event-handling is still enabled in CSP without using HTML attributes.

  3. Sites that never want to have JavaScript included in their pages can choose to globally disallow script.

To combat clickjacking, which allows cicks on one Web page to actually apply to clicks on another page that’s invisible to the end user, Mozilla said Content Security Policy allows a site to specify which sites may embed a resource.

The open-source group said Content Security Policy will be fully backward compatible and will not affect sites or browsers which don't support it.

For more information, see Mozilla's FAQ and this blog post by security program manager Brandon Sterne.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • sounds kinda like SPF, but for JavaScript

    Very cool!

    On another note, any idea's why Firefox doesn't take advantage of the Sandbox framework provided by Vista?

    Is it because of Vista's market share, to ease cross platform porting, or something else?
    JoeMama_z
    • It's JavaScript not Java Script

      Some purists might prefer ECMAScript but that wouldn't be correct.
      InAction Man
      • Thanks for answering my question!

        that sure was useful.
        JoeMama_z
      • What came first, the chicken or the egg?

        And does it really matter since it's all stolen
        from someone else's work anyways?
        Spiritusindomit@...
      • Really....

        I thought it was LiveScript table became JavaScript.
        Erroneous
    • Why would it? nt

      nt
      T1Oracle
      • Why wouldn't it?

        It's a security layer with obvious merit. For a browser that rose to fame chanting "Secure!" it seems odd that they haven't made it taken advantage of it.

        Edit: After looking around, it doesn't look like Firefox plays nice with AppArmor or SELinux, If this is true, again I have to ask "why not?"
        JoeMama_z
  • Too bad it relies on website owner action

    If it's reliant upon human action to implement, then it'll barely make a dent in the problem.
    ejhonda
  • All these protections are already available in IE8

    All these protections are already available in IE8. Mozilla is in late!
    directory
    • already available in IE8 ?

      They are, sort of. IF you have to time to wait around for that slug of spaghetti to do anything. I got tired of fiddling with it and went back to 7 until a couple more updates come 'round for it.
      twaynesdomain-22354355019875063839220739305988
  • RE: Mozilla tackles XSS vulnerabilities with new technology

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut