In a recent post in Mozilla Security Blog, Brandon Sterne Security Program Manager talked about Mozilla effort to shut down XSS (Cross-Site-Scripting) attacks with Content Security Policy.
For several years, Cross-Site Scripting (XSS) attacks have plagued many of the web’s most popular sites and victimized their users. At Mozilla, we’ve been working for the last year on a new technology called Content Security Policy, designed to shut these attacks down.
Mozilla is making efforts not only to make Firefox the fastest browser, but also the most secure platform. Brandon explains CSP approach to validate content :
In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be 1) loaded from an external file, and 2) served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored. Only script included via a script tag pointing to a white-listed host will be treated as valid. Additionally, CSP allows several other common-sense security restrictions to be enforced.
Of course this will not save you 100% from XSS, Clickjacking or Packet Sniffing Attacks, but I think it’s a good initiative from browsers to help keeping the web safe.
