Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Microsoft > Windows Software

October 5th, 2009, 14:07 GMT · By

Download Firefox 3.7 Preview with Anti-XSS Security Enhancements

SHARE:

Adjust text size:


Firefox 3.5
Enlarge picture
Preview builds of Firefox 3.7 are now available for download, offering the first fruits of Mozilla’s efforts to bulletproof systems against cross-site scripting related attacks. At the end of the past month, Brandon Sterne, Mozilla security program manager, revealed that the work necessary to turn the Content Security Policy specification into working Firefox code was nearly complete. In this regard, Sterne pointed end users and web developers to preview releases of Firefox 3.7, the “next next” iteration of the Mozilla open-source browser.

Via the Content Security Policy (CSP) Mozilla has been working on a technology set up to provide web admins and website owners with a mechanism designed to permit the website to tell the browser which of the content it serves is legitimate. Cross-site scripting, also referred to as XSS, is the process in which an attacker injects malformed code into a webpage through vulnerabilities, or via improperly filtered and sanitized form user input. However, with CSP the website will identify the secure content, and enable the browser to ignore additional code.

“In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be 1) loaded from an external file, and 2) served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored. Only script included via a <script> tag pointing to a white-listed host will be treated as valid. Additionally, CSP allows several other common-sense security restrictions to be enforced,” Sterne noted in mid-2009.

Any server administrators or web app security researchers that want to try the anti-XSS Content Security Policy enhancements of Firefox 3.7 are able to do so by grabbing the preview builds from Mozilla’s FTP servers. Mozilla is currently laboring to offer Firefox 3.6 in November of this year, with Firefox 3.7 planned for availability in the first half of 2010, ahead of Firefox 4.0.

The latest releases of Firefox for Windows are available for download here.

TELL US WHAT YOU THINK:

5,888 hits · 1 comment · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Firefox 3.7 Changes Looks for Windows 7 and Vista
Firefox 3.6 Beta 1 Up Next
Office 2010 Office Web Apps Technical Preview Is Live
Firefox 4.0 Confirmed for Fall 2010, 2x More Performance over Firefox 3.5
Windows 7 Bests Snow Leopard Says Mac Hacker

READER COMMENTS:


Comment #1 by: sbohdjal on 06 Oct 2009, 03:44 UTC reply to this comment

Will CSP in Firefox 3.7 allow bookmarklets to run? If not, can a user white-list domains used by a bookmarklet?

If bookmarklets are broken by CSP, that's a step backwards.

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use