New XSS and clickjacking mitigation standard sees first implementation

Oct 5, 2009 10:31 GMT  ·  By

Mozilla has released the first Firefox builds that have the new Content Security Policy (CSP) specification implemented. The standard promises to render XSS, clickjacking and packet sniffing attacks ineffective in the browsers supporting it, even if a visited Web page is compromised.

The Content Security Policy refers to a set of rules that are served by the website to the browser, defining what content is to be trusted. The specification is set to help webmasters and users alike in fighting off cross-site scripting and other related attacks.

Cross-site scripting (XSS) is one of the most common type of attacks plaguing the web today. It stems from programming errors where the form user input is not properly filtered and sanitized, thus allowing hackers to inject code into the Web page. Attacks that result in a permanent change of the page are called persistent XSS.

In this context, it's worth noting that CSP directives are stored in a file on the webserver and are served as a response header and not part of the page. Therefore, the exploitation of an XSS weakness alone, will not allow the attacker to change them. Additionally, the new technology is backward compatible and won't affect the behavior of browsers that don't support it.

Some of the notable restrictions that can be enforced through CSP include prohibiting inline JavaScript code, restricting JavaScript code to specific hosts, as well as restricting resources embedded into objects, frames and iframes to specific sites. One particularly interesting directive is called report-uri and can be used to tell browsers to automatically report a CSP violation to a specific URL. This can be of great use to webmasters as it will alert them of possible compromise on their pages.

The new CSP-enabled Firefox builds mean an important step for the technology as it will allow web developers to begin implementing and testing the technology in the context of their own applications. "We’re thrilled to have received so much great feedback from other browser vendors, web site administrators, and security researchers and we’re very proud of the design that has come out of that discussion. We would like to encourage any server administrators or web app security researchers who are interested in this project to grab a preview Firefox build and help us test the new features,” Brandon Sterne, security program manager at Mozilla, said.

The Firefox builds with Content Security Policy support can be downloaded from here.