Mechanism of Content Security Policy in Firefox almost ready
1 October 2009. Author: Anton
Brandon Sterne, acting head of security at Mozilla, the columns of Security Blog has announced that it has begun the process of implementing the security policy specification content (Content Security Policy, CSP) in Firefox.
How does it work?
This mechanism is intended to protect against attacks from cross-site scripting (XSS) and derivatives. It works by distinguishing the original web page content from a modified or introduced from outside. CSP requires that every piece of javascript code was loaded from an external file located on previously confirmed by the server.
All the scripts directly on the page - including links beginning with pattern javascript: HTML attributes and responsible for capturing events - will be ignored. Will be made only by means of loaded code <script> tags that indicate the system is located on the so-called. white list.
Content Security Policy also allows for the control of other security-related processing of Web page content.
Testers welcome
Anyone who wants to see how the new mechanism of protection, you can download versions of review articles included in the Network by Sterne. Implementation of Content Security Policy is not fully ready, so the testers can notice that some of the points in the specification are not reflected in the actual functions. An example might be there still unfinished HTTP redirects by using the CSP.
In reviewing the possibility of a new security subsystem can be useful Firefox special page demonstrates its capabilities.
How does it work?
This mechanism is intended to protect against attacks from cross-site scripting (XSS) and derivatives. It works by distinguishing the original web page content from a modified or introduced from outside. CSP requires that every piece of javascript code was loaded from an external file located on previously confirmed by the server.
All the scripts directly on the page - including links beginning with pattern javascript: HTML attributes and responsible for capturing events - will be ignored. Will be made only by means of loaded code <script> tags that indicate the system is located on the so-called. white list.
Content Security Policy also allows for the control of other security-related processing of Web page content.
Testers welcome
Anyone who wants to see how the new mechanism of protection, you can download versions of review articles included in the Network by Sterne. Implementation of Content Security Policy is not fully ready, so the testers can notice that some of the points in the specification are not reflected in the actual functions. An example might be there still unfinished HTTP redirects by using the CSP.
In reviewing the possibility of a new security subsystem can be useful Firefox special page demonstrates its capabilities.
Back