Firefox feature looks to foil XSS attacks

The Mozilla Foundation released on Wednesday a preview version of the Firefox browser that implements a technology to protect against scripting attacks.

The technology, known as Content Security Policy, allows Web sites to specify restrictions on how they handle scripts. Using CSP, a Web site can create a white list of sites from which the browser should accept scripts as well as mandate that the scripts are labeled as applications and are not obfuscated. A number of other features are also available, all aiming to prevent malicious scripts from executing in the context of the current site.

The preview does not implement the entire specification, and Mozilla is looking for testers and feedback, Brandon Sterne, security program manager for Mozilla stated in Wednesday's blog post.

"Please be aware that there are still a few rough spots," Sterne said. "The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec."

Content Security Policy is based on recommendations made by Robert "rsnake" Hansen back in 2005. Most browsers treat all scripts the same, executing in the context of the current site, no matter where they originated. The defacto policy is what allowed untrusted ads on The New York Times site to recently serve up malicious software to visitors and allowed the Samy and other Web worms to spread. Content Security Policy allows sites to tell browsers which scripts should be allowed as well as additional restrictions on scripting.

Mozilla has created a demo page for security researchers who want to see content security policy in action.

If you have tips or insights on this topic, please contact SecurityFocus.