The Mozilla foundation has presented the first demonstration of its new Content Security Policy (CSP). CSP is expected to help prevent cross-site scripting attacks (XSS).
CSP allows web administrators to send a special header (X-Content-Security-Policy: allow 'self';) that tells the browser which domains it should accept as sources for trusted code. Standard XSS attacks sometimes exploit vulnerabilities in web applications to execute JavaScript in the browser with the rights of trusted domains.
With CSP, the browser will only execute scripts which originate from domains listed in a whitelist – everything else will be blocked. This allows administrators to specify their own script server for loading and executing scripts, for example. Attackers should then no longer be able to inject scripts into HTML files.
CSP only works in a specially prepared browser. The new Preview Build of Firefox supports this function. While this version does not yet support all specifications, it should suffice for an initial impression. At a special demo website, you can test whether and how CSP works. Brandon Sterne, Security Program Manager at Mozilla, says he looks forward to having a wide group of people take part in the first tests and to receiving their comments.
Source: H-Online
Full Version: First Firefox demo for Content Security Policy
Hmm. I wonder how that will work with NoScript enabled?
@ catscomputer
maybe it won't be necessary anymore? or maybe NoScript will complement the feature.
maybe it won't be necessary anymore? or maybe NoScript will complement the feature.
@ Maniac
Thanks for the link! That's awesome
I read about a couple of betas on the Firefox page, I bet that's what the betas are, maybe?
Thanks for the link! That's awesome
I read about a couple of betas on the Firefox page, I bet that's what the betas are, maybe?
@ Maniac
nice link
nice link
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.