Firefox 4, the newest version of Mozilla’s flagship browser slated for release today, includes a variety of security and privacy protections, but perhaps the most important of them is the addition of the Content Security Policy. The mechanism, which is enabled by default in Firefox 4, is designed to help prevent widespread Web attacks such as cross-site scripting and data injection.
The addition of Content Security Policy is an important update to Firefox, as it gives users a default protection against some of the most commonly seen Web-based attack. The mechanism relies on cooperation between the user’s browser and the Web server on the other end to prevent malicious content from being loaded by the browser. Site administrators can enable CSP on their servers by adding a simple piece of code to the HTTP header.
In its documentation on CSP, Mozilla says that the new browser defense not only can help stop XSS attacks, but also can protect users against clickjacking attacks and packet sniffing, as well as other Web-based threats.
“The primary goal of CSP is to mitigate and report XSS attacks. XSS
attacks exploit the browser’s trust of the content received from the
server. Malicious scripts are executed by the victim’s browser because
the browser trusts the source of the content, even when it’s not coming
from where it seems to be coming from,” Mozilla says in its documentation on CSP. “CSP makes it possible for server administrators to reduce or
eliminate the vectors by which XSS can occur by specifying the domains
that the browser should consider to be valid sources of executable
scripts. A CSP compatible browser will then only execute scripts loaded
in source files received from those whitelisted domains, ignoring all
other script (including inline scripts and event-handling
HTML attributes).
As an ultimate form of protection, sites that want to never allow
scripts to be executed can opt to globally disallow script execution.”
Mozilla officials first began talking about the addition of CSP to Firefox as far back as late 2009, when they released a preview build of the browser that included CSP. Some sites already support CSP, and Mozilla security officials said they expect the number of sites that are on board to increase rapidly once Firefox 4 becomes widely deployed.
“We expect Content Security Policy to be widely adopted very quickly. There are popular commercial websites like Twitter who are already using it, and there are CSP plugins for many of the popular content management systems like WordPress, Django and Drupal. If this works out according to plan, the curtain will soon be coming down on a broad range of nasty web bugs!” Mozilla’s Brandon Sterne said in a blog post on the addition of CSP to Firefox.
Mozilla has spent an unusually long time on the development of Firefox 4, having released the first beta version last summer. The organization has pushed out a number of other betas since then. The release of Firefox 4 comes just a week after Microsoft debuted Internet Explorer 9, the newest version of its own premier browser. IE 9 also includes some additional security and privacy protections, most notably browser Tracking Protection.