Mozilla has released a preview build of Firefox that includes its new Content Security Policy specification, a framework that’s designed to enable site owners to protect against common Web-based attacks.
The CSP specification is Mozilla’s effort to provide Web site operators with a simpler way to protect their sites against cross-site scripting attacks and other related attacks. XSS is one of the more common ways that attackers exploit Web browsers and it has become a thorny problem for site owners. Brandon Sterne, Mozilla’s security program manager, said in a blog post that the builds are still a bit rough but give a good idea of how the CSP will be fitted into the browser.
We would like to encourage any server administrators or web app security researchers who are interested in this project to grab a preview Firefox build and help us test the new features. Please be aware that there are still a few rough spots. The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec. Most notably, HTTP redirects are not yet handled by CSP (but will be soon).
CSP gives site administrators the ability to specify how certain types of content interact with each other on the site, thereby providing a more granular way of defending against some common attacks.