Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

July 2009
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Mozilla Content Security Policy takes aim at XSS

By Sean Michael Kerner on June 22, 2009 5:52 PM
sr-firefox3.jpg
From the 'making browsers safe' files:

Cross Site Scripting (XSS) flaws are growing and Mozilla is now coming up with another attempt to try and stop them. It's a new approach called Content Security Policy and its goal is to prevent XSS.

Firefox 3.x has been patched before for XSS and Firefox 3 itself was originally supposed to provide protection against XSS as well with a W3C specification called Cross site XMLHttpRequest  (that didn't make it into the final Firefox 3).

So now they're trying again, with a new approach that will help to validate that code running in a browser is authorized.
"In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be 1) loaded from an external file, and 2) served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored,"Brandon Sterne Security Program Manager at Mozilla blogged. " Only script included via a script tag pointing to a white-listed host will be treated as valid."
There is also a plan to help mitigate clickjacking as part of CSP policy that will enable a site to specify which sites can embed a resource.

Frankly -- I think that (for better or for worse), Mozilla should follow Micrsoft's lead and also support the X-FRAME-OPTIONS header, that IE 8 supports. While I think it's important for Mozilla to carve its own path, I don't think there is any harm in supporting multiple, complementary methods for protecting against clickjacking. Then again, web developers that choose to protect their sites with X-FRAME-OPTIONS could just add in CSP too.

Ultimately in a non-standardized web security world, it could mean that web developers will have to support multiple approaches to the same problem. It's not an ideal solution, but hey web developers have faced this problem forever, so it's not a new issue either.

No word yet on when CSP will be integrated into Firefox -- though I'd expect it'll be on the wish list for the Firefox 3.6 timeframe.

| Comments (0) | TrackBacks (0) | Share

Tags:

0 TrackBacks

Listed below are links to blogs that reference this entry: Mozilla Content Security Policy takes aim at XSS.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8320

Leave a comment