Via the Content Security Policy (CSP) Mozilla has been working on a technology set up to provide web admins and website owners with a mechanism designed to permit the website to tell the browser which of the content it serves is legitimate. Cross-site scripting, also referred to as XSS, is the process in which an attacker injects malformed code into a webpage through vulnerabilities, or via improperly filtered and sanitized form user input. However, with CSP the website will identify the secure content, and enable the browser to ignore additional code.
“In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be 1) loaded from an external file, and 2) served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored. Only script included via a
<script> tag pointing to a white-listed host will be treated as valid. Additionally, CSP allows several other common-sense security restrictions to be enforced,” Sterne noted in mid-2009.Any server administrators or web app security researchers that want to try the anti-XSS Content Security Policy enhancements of Firefox 3.7 are able to do so by grabbing the preview builds from Mozilla’s FTP servers. Mozilla is currently laboring to offer Firefox 3.6 in November of this year, with Firefox 3.7 planned for availability in the first half of 2010, ahead of Firefox 4.0.
softpedia
Tidak ada komentar:
Posting Komentar