14 DAY TRIAL // Firefox 4 brings several new security features including Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), a do-not-track anti-behavioral advertising solution and a option to prevent website framing.
The Content Security Policy is anti-XSS technology developed by Mozilla and first implemented in Firefox 4.0 for desktop and mobile.
It is a very powerful tool that gives webmasters control over how browsers load JavaScript from their websites.
Rules to prevent inline scripting and restrict domains from where JavaScript is loaded can be specified via special HTTP headers.
In addition, there's an option to provide an URL where the browser can automatically report CSP violations. This can help webmasters detect implementation problems or attacks targeting their websites.
Twitter is the first mainstream service to announce CSP adoption. At the moment it is only available on the mobile website, but it will be slowly rolled out on all domains.
The HTTP Strict Transport Security on the other hand allows webmasters to force HTTPS connections on their websites.
This technology is an IETF Internet-Draft and is supported by both Google Chrome and Firefox 4. It helps prevent so-called SSL-stripping man-in-the-middle attacks.
Such attacks were used by the Tunisian government during the recent pro-democracy protests that ousted former president Zine El Abidine Ben Ali.
Having control over the entire country's perimeter routers, the Tunisian Internet Authority stripped SSL away from Gmail connections in order to perform phishing attacks.
Mozilla's solution for the do-not-track option proposed last year by the Federal Trade Commission is present in Firefox 4 as an HTTP header called "DNT."
Other security related changes include a simplification of the User-Agent header which makes user tracking harder and the inclusion of X-FRAME-OPTIONS which websites can use to prevent browsers from loading them inside frames.