14 DAY TRIAL // Google has released a list of security features being built into the upcoming Chrome 13 and includes Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) implementations, certificate pinning and self-XSS filter.
The Content Security Policy (CSP) is a specification developed by Mozilla which aimed at providing a solution for many of today's malicious injection attacks.
It allows websites to restrict the sources of content that can be loaded into their pages. For example, a webmaster can provide a list of domains for images, embedded objects, scripts, fonts or frames.
This significantly restricts the options for attackers who currently exploit vulnerabilities to inject rogue iframe and script elements that load content from domains under their control.
The CSP implementation in Chrome 13 is only for experimental purposes and webmasters that want to try it out can use the X-WebKit-CSP temporary header.
"We’re working with Mozilla and others through the W3C to finish the standard. Once that’s done, we’ll remove support for the X-WebKit-CSP header and add support for the final header name," Chris Evans, a member of Google's security team, writes.
Other important security features expected in Chrome 13 are HSTS and certificate pinning, two technologies that mitigate a number of SSL attacks.
HSTS forces Chrome to access certain websites only over HTTPS. This resolves SSL-stripping attacks where attackers with control over the victim's Internet gateway can strip the HTTPS part of the URL and force their browser to use an insecure connection.
Certificate pinning goes even further and allows the association of particular SSL certificates, or some their characteristics, with certain websites. For example, in the case of gmail.com, Chrome 13 will only be able to access the domain if the certificate is issued by one of the certification authorities (CA) on a limited list.
This can protect users in cases where the attacker manages to fraudulently obtain a rogue certificate for a high-profile domain from a compromised or irresponsible CA.
The company has also been working with Facebook to implement a self-XSS filter which would prevent users from compromising themselves by pasting rogue code inside the browser's address bar. This type of attack has been increasingly seen on the social networking site.
Google 13 is currently in the dev channel and is expected to be promoted to beta this week. The final version will ship in around five weeks from now.