Content Security Policy enabled on adblockplus.org · 2010-03-05 13:09 by Wladimir Palant

If you are using Gecko 1.9.3 Alpha 2 (Mozilla Developer Preview) or even Firefox nightly builds then your browser already supports Content Security Policy. This is a mechanism to prevent attacks on a website like Cross-Site Scripting or Clickjacking. While I believe that adblockplus.org isn’t vulnerable to any of these attacks, I certainly like having an additional layer of protection and switched on Content Security Policy on this site. A possible side-effect is that some things which used to work fine might fail to load now — if you see something like that please let me know.

The details of the policy in place here: generally, all loads initiated by adblockplus.org should go to adblockplus.org. There is an exception for YouTube (on the main page only, for the embedded video). Also, images are generally allowed, regardless of their origin (mainly for the sake of the forum). Finally, inline scripts are allowed — while I would like to disallow them, the web applications used here still rely on inline scripts.

Commenting is closed for this article.