New Firefox security stymies most Web attacks, Mozilla claims

Mozilla delivers browser preview with 'Content Security Policy' spec that aims to help site and application developers separate legitimate content from the illicit

Mozilla has released a test build of Firefox that adds new technology designed to stymie most Web-based attacks, the browser maker said Sunday.

The technology, dubbed "Content Security Policy" (CSP), is a Mozilla-initiated specification targeted at Web site and application developers, who will be able to define which content on the site or in the online application is legitimate. That would block any script or malicious code that's been added by hackers who manage to compromise the site or app. Such attacks are generally tagged with the label of cross-site scripting (XSS).

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Preview editions of Firefox are available for developers to try out, said Mozilla in an announcement last week.

"This isn't a single trick that's meant to counter a single kind of attack," said Johnathan Nightingale, the manager of the Firefox front-end development team. "This helps sites solve cross-site scripting, but it's more than that. They now have a way to shut everything dynamic off, so that no matter what content gets added to a site, if it's on the page and they've sent us policy instructions in its header, we shut it down."

Firefox is passing the baton to site and application developers, who will be able to separate the legitimate from the illicit content. With CSP in place, Firefox will allow the former but will automatically block the latter.

"It is in some ways similar to NoScript," said Brandon Sterne, Mozilla's security program manager, referring to the popular Firefox add-on that blocks JavaScript, Java, Flash, and other plug-ins often abused by hackers. "The main difference is that the Web site itself is determining the policy. NoScript is a great tool, but a large number of Web users are not sophisticated enough to manage the kind of decisions it requires."

Nightingale and Sterne have pinned high hopes on CSP, which grew out of an idea first put forward by security researcher Robert "rsnake" Hansen in 2005. Last year, Hansen, the CEO of SecTheory, and Jeremiah Grossman, chief technology officer at WhiteHat Security, made headlines when they revealed details about how browsers were vulnerable to so-called "clickjacking" attacks.

"Absolutely, this will drive a stake through the heart of cross-site scripting attacks," argued Sterne. "An attacker injects some script that harms the users of that site, that encompasses content injection. Out of the box, CSP [lets sites send] signals to the browser that says, 'We're gonna turn off everything by default.' Cross-site scripting will be neutered at that point."

But Nightingale and Sterne realize that, even with nearly a quarter of the world's Internet users running Firefox, Mozilla faces a tough road if it's the only browser maker pushing CSP.

"Both the Internet Explorer and Chrome teams have contributed to the design discussions of the specification," said Sterne. "They have some tentative interest in implementing it at some point in the future."