Mozilla tackles XSS vulnerabilities with new technology
The project, called Content Security Policy, is designed to shut down XSS attacks by providing a mechanism for sites to explicitly tell the browser which content is legitimate. It can also help mitigate clickjacking and packet sniffing attacks.
[ SEE: Webcam hijack demo highlights clickjacking threat ]
Here's how Content Security Policy can provide a way for server administrators to reduce or eliminate their XSS attack surface.
- Website administrators specify which domains the browser should treat as valid sources of script.
- The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.
- Note: event-handling is still enabled in CSP without using HTML attributes.
- Sites that never want to have JavaScript included in their pages can choose to globally disallow script.
To combat clickjacking, which allows cicks on one Web page to actually apply to clicks on another page that’s invisible to the end user, Mozilla said Content Security Policy allows a site to specify which sites may embed a resource.
The open-source group said Content Security Policy will be fully backward compatible and will not affect sites or browsers which don't support it.
For more information, see Mozilla's FAQ and this blog post by security program manager Brandon Sterne.