14 DAY TRIAL // Preview builds of Firefox 3.7 are now available for download, offering the first fruits of Mozilla’s efforts to bulletproof systems against cross-site scripting related attacks. At the end of the past month, Brandon Sterne, Mozilla security program manager, revealed that the work necessary to turn the Content Security Policy specification into working Firefox code was nearly complete. In this regard, Sterne pointed end users and web developers to preview releases of Firefox 3.7, the “next next” iteration of the Mozilla open-source browser.
Via the Content Security Policy (CSP) Mozilla has been working on a technology set up to provide web admins and website owners with a mechanism designed to permit the website to tell the browser which of the content it serves is legitimate. Cross-site scripting, also referred to as XSS, is the process in which an attacker injects malformed code into a webpage through vulnerabilities, or via improperly filtered and sanitized form user input. However, with CSP the website will identify the secure content, and enable the browser to ignore additional code.
“In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be 1) loaded from an external file, and 2) served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored. Only script included via a <script> tag pointing to a white-listed host will be treated as valid. Additionally, CSP allows several other common-sense security restrictions to be enforced,” Sterne noted in mid-2009.
Any server administrators or web app security researchers that want to try the anti-XSS Content Security Policy enhancements of Firefox 3.7 are able to do so by grabbing the preview builds from Mozilla’s FTP servers. Mozilla is currently laboring to offer Firefox 3.6 in November of this year, with Firefox 3.7 planned for availability in the first half of 2010, ahead of Firefox 4.0.
The latest releases of Firefox for Windows are available for download here.