New Firefox security technology blocks Web attacks, Mozilla claims

Delivers browser preview with 'Content Security Policy' spec, hopes rivals follow its lead

Mozilla has released a test build of Firefox that adds new technology designed to stymie most Web-based attacks, the browser maker said Sunday.

The technology, dubbed "Content Security Policy" (CSP), is a Mozilla-initiated specification targeted at Web site and application developers, who will be able to define which content on the site or in the online application is legitimate. That would block any script or malicious code that's been added by hackers who manage to compromise the site or app. Such attacks are generally tagged with the label of cross-site scripting (XSS).

Preview editions of Firefox are available for developers to try out, said Mozilla in an announcement last week .

"This isn't a single trick that's meant to counter a single kind of attack," said Johnathan Nightingale, the manager of the Firefox front-end development team. "This helps sites solve cross-site scripting, but it's more than that. They now have a way to shut everything dynamic off, so that no matter what content gets added to a site, if it's on the page and they've sent us policy instructions in its header, we shut it down."

Firefox is passing the baton to site and application developers, who will be able to separate the legitimate from the illicit content. With CSP in place, Firefox will allow the former but will automatically block the latter.

"It is in some ways similar to NoScript," said Brandon Sterne, Mozilla's security program manager, referring to the popular Firefox add-on that blocks JavaScript, Java, Flash and other plug-ins often abused by hackers. "The main difference is that the Web site itself is determining the policy. NoScript is a great tool, but a large number of Web users are not sophisticated enough to manage the kind of decisions it requires."

Nightingale and Sterne have pinned high hopes on CSP, which grew out of an idea first put forward by security researcher Robert "rsnake" Hansen in 2005. Last year, Hansen, the CEO of SecTheory, and Jeremiah Grossman, chief technology officer at WhiteHat Security, made headlines when they revealed details about how browsers were vulnerable to so-called "clickjacking" attacks .

"Absolutely, this will drive a stake through the heart of cross-site scripting attacks," argued Sterne. "An attacker injects some script that harms the users of that site, that encompasses content injection. Out of the box, CSP [lets sites send] signals to the browser that says, 'We're gonna turn off everything by default.' Cross-site scripting will be neutered at that point."

But Nightingale and Sterne realize that, even with nearly a quarter of the world's Internet users running Firefox, Mozilla faces a tough road if it's the only browser maker pushing CSP.

"Both the Internet Explorer and Chrome teams have contributed to the design discussions of the specification," said Sterne. "They have some tentative interest in implementing it at some point in the future."

Earlier this year, Eric Lawrence, a program manager on Microsoft 's Internet Explorer (IE) team, called CSP "a good idea" and "a promising approach" in a pair of entries on the official IE blog, but did not commit Microsoft to supporting the technology.

"It's great to see that others are taking this threat seriously, as well," said Sterne.

Google , the maker of Chrome, was not available over the weekend, but the company has previously said it generally doesn't comment on future product development.

Mozilla must also convince site and application developers that it's worth their while to use CSP. Nightingale and Sterne declined to name the sites that have expressed interest in using the technology.

"The first step is for us to use it," said Nightingale, adding that Mozilla would turn one of its online properties into a guinea pig to show others that CSP is possible, and to iron out problems.

The pair was also vague about when CSP would debut in a production version of Firefox. The one thing they did say was that it wouldn't show up in the minor upgrade, Firefox 3.6 , that's to ship in November. The first, and likely only, beta of Firefox 3.6 is slated to ship Oct. 13.

"Whatever comes after 3.6, that's the earliest," said Sterne.

Mozilla isn't the only browser maker trying to protect users from cross-site scripting attacks. Microsoft, for example, added a cross-site scripting filter to IE8 that the company said would block most attacks.

Preview builds of Firefox with CSP enabled can be downloaded for Windows, Windows Mobile, Mac and Linux from Mozilla's server . Sterne has also posted a demonstration page that graphically shows how various scripts are blocked by the technology.

Join the PC World newsletter!

Error: Please check your email address.

Tags Firefoxsecuritymozilla

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?