Firefox Aurora now Supports Content Security Policy 1.0

May 31, 2013
web

Today with the release of Mozilla Firefox Aurora 23, support for Content Security Policy or CSP using the unprefixed, W3C standard header Content-Security-Policy has landed. Firefox has had experimental support for CSP since FireFox 4, using the header X-Content-Security-Policy. Google Chrome has supported the standard Content-Security-Policy header since earlier this year, prior to that you had to use a X-Webkit-CSP header.

What is Content-Security-Policy?

CSP allows you to specify a policy via a HTTP response header that dictates how additional content can be loaded. You can use CSP to dictate how and where JavaScript, CSS, Images, and pretty much anything else you can embed into a HTML document is loaded. When CSP is in place, and the victim is using a browser that supports CSP, it makes it very difficult for a Cross Site Scripting (XSS) attack to be successful.

Here's a quick example that requires all javascript to be loaded from the same origin of the current page ('self' in CSP lingo), or from cdn.example.com:

Content-Security-Policy: script-src 'self' js.example.com;

Now if an attacker tries to load a script like this:

<script src="http://hacker.example.net/hack.js"></script>

The browser will block the script from loading. Content-Security-Policy will also by default prevent inline scripts from loading in the page, you can allow them by adding unsafe-inline but then you loose much of the benefits of CSP. In CSP 1.1 there is an experimental directive called script-nonce which allows you to whitelist certain inline scripts.

I created a quick handy CSP reference at content-security-policy.com



Related Entries

1 person found this page useful, what do you think?

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?