New Mozilla Technology to Mitigate Cross-Site Scripting

Security engineers from Mozilla want to tackle cross-site scripting attacks with a new technology they call the Content Security Policy (CSP). This new specification would allow websites to set directives that enforce certain restrictions over what content the CSP-aware browsers trust.

Cross-site scripting, also known as XSS, are the most common vulnerabilities on the web today. By exploiting XSS weaknesses, attackers can inject rogue code, such as IFrames, into websites.

Rogue IFrames are notorious for being used to attack visitors, by serving malware or by executing exploits hosted on third-party servers. Even the largest and most security-aware websites have been compromised in this way during the past several years, showing that the programming mistakes that generate these XSS holes, like poor input validation, can't easily be prevented.

Mozilla proposes another approach, which would allow websites to protect their visitors even if they get compromised. "Content Security Policy (CSP) provides a mechanism for sites to explicitly tell the browser which content is legitimate. The browser can then disregard any content which has not been blessed by the site," Brandon Sterne, Mozilla's security program manager, explains.

In terms of legitimate JavaScript code, it implies two rather dramatic restrictions, compared with the way websites function today. The first one implies that only JavaScript code loaded from an external file is to be trusted by browsers. This would render the inline scripting, specific to XSS attacks, ineffective. The second restriction goes even further and allows websites to actually specify the trusted hosts from where JavaScript can be loaded.

The Mozilla security engineers say that, after analyzing multiple samples and scenarios, they could not find any case in which legit JavaScript could not be migrated out of the pages and into separate files. According to them, this is also consistent with "the programming paradigm 'don’t mix code with content' so there may be additional functional benefits to be gained by implementing such separation."

However, they realize that this is a drastic change that would imply implementation costs, especially for large websites. Because of this, they propose a gradual adoption, as CSP has many other useful directives that can be easily enforced to block certain script injection attack vectors, until all the JavaScript code is moved to external files.

CSP features can also be used to mitigate clickjacking (UI redressing) or packet sniffing attacks, but mitigation is not the only benefit of this new technology. A directive called report-uri can tell CSP-enabled browsers where to report the policy violations they encounter on the website. This means that webmasters can easily and quickly be alerted about rogue injected code in their pages by the website's own visitors.

Mozilla plans to start implementing this new, but backward compatible, technology in future Firefox nightly builds. "Content Security Policy has been a collaboration of many individuals and has received input from multiple web sites, browser vendors, and web app security researchers. We are very excited to have reached a level of stability in the design that has allowed us to begin implementation of the CSP specification," Brandon Sterne notes.