14 DAY TRIAL // Twitter has implemented a new technology called Content Security Policy (CSP) on its mobile website which is aimed at thwarting cross-site scripting (XSS) attacks.
The Content Security Policy specification was developed by Mozilla and was introduced for the first time in the newly released Firefox 4.0 browser.
It allows webmasters to define rules on how JavaScript content should be loaded on their websites by specifying them in special HTTP headers.
In terms of cross-site scripting (XSS) mitigation, CSP offers two important features. One allows sites to completely disallow inline JavaScript, which is specific to XSS attacks, and the other allows them to specify domains from where JavaScript can be loaded.
But in addition to real-time mitigation, CSP can also be used to detect attacks and inconsistencies with the policy. The Report-URI header can specify an URL where browsers can automatically report CSP violations encountered on the website.
Twitter began their CSP tests on its mobile website because it's clearly lightier and allows for a speedier implementation.
The first problem Twitter ran into when moving inline JavaScript out of its pages was with the third-party jQuery JavaScript plug-in which had some incompatibilities. The issues have since been fixed.
The second problem was with Firefox extensions that inject JavaScript into pages locally and with ISPs that engage in similar practices. The solution was to enforce SSL for Firefox 4 users, which prevents content alteration.
"Allowing sites like Twitter to disable inline Javascript and whitelist external assets is a huge step towards neutralizing XSS attacks. [...] We hope other browsers will adopt the CSP standard, especially as more sites depend on client-side code and user-generated content," the Twitter engineers write.
The team plans to slowly roll out CSP on more of Twitter over the upcoming months, but given the complexity of the site it will require significant modifications and careful testing.