Google has added another layer of security for users of Gmail on the desktop, which now supports content security policy, a standard that’s designed to help mitigate cross-site scripting and other common Web-based attacks.
CSP is a W3C standard that has been around for several years, and it’s been supported in a number of browsers for some time. Mozilla has supported CSP since Firefox 4 and the technology is effective at defending against XSS attacks, but one of the issues with it has been that not many sites have supported it. It’s also difficult to implement properly, experts say.
Earlier this year researchers from Northeastern University released a paper on CSP, looking at the question of why it isn’t more widely deployed at this point. Michael Weissbacher, one of the researchers, said that he was surprised CSP wasn’t more widely deployed, because the security benefits are clear.
“I looked into CSP deployments because it is effective against XSS and could solve lots of problems with web security,” Weissbacher explained to Threatpost. “So I was surprised to find that only few websites used it, and those who did, didn’t use it fully, marginalizing the benefits. I think it would help the web at large if more websites invest the effort to implement CSP.”
For Google, the benefits are clear. Gmail is very high on the list of targets for many kinds of attackers, from run-of-the-mill cybercriminals to APT groups to intelligence services. Gmail’s user base is enormous and includes people from all over the world, some of whom are prime targets themselves. Google has beefed up the security of the service several times in the last couple of years, providing HTTPS as the default connection option, adding a two-step verification option and now adding supporting for CSP.
“We know that the safety and reliability of your Gmail is super important to you, which is why we’re always working on security improvements like serving images through secure proxy servers, and requiring HTTPS. Today, Gmail on the desktop is becoming more secure with support for Content Security Policy (CSP),” Danesh Irani of Google wrote in a blog post.
“There are many great extensions for Gmail. Unfortunately, there are also some extensions that behave badly, loading code which interferes with your Gmail session, or malware which compromises your email’s security. Gmail’s CSP protects you, by stopping these extensions from loading unsafe code.”
XSS attacks are among the more common Web-based attacks, and many popular sites have been found to harbor XSS flaws in the last few years. Attackers can take advantage of these vulnerabilities to load malicious code from a remote site and compromise visitors to a legitimate site. CSP is designed to mitigate these attacks by letting site owners determine which domains can safely load scripts in the browser.