Firefox Aurora now Supports Content Security Policy 1.0
By Pete Freitag
Today with the release of Mozilla Firefox Aurora 23, support for Content Security Policy or CSP using the un-prefixed, W3C standard header
Content-Security-Policy has landed. Firefox has had experimental support for CSP since FireFox 4, using the header
X-Content-Security-Policy. Google Chrome has supported the standard
Content-Security-Policy header since earlier this year, prior to that you had to use a
What is Content-Security-Policy?
'self' in CSP lingo), or from cdn.example.com:
Content-Security-Policy: script-src 'self' js.example.com;
Now if an attacker tries to load a script like this:
The browser will block the script from loading. Content-Security-Policy will also by default prevent inline scripts from loading in the page, you can allow them by adding
unsafe-inline but then you loose much of the benefits of CSP. In CSP 1.1 there is an experimental directive called
nonce which allows you to whitelist certain inline scripts.
I created a quick handy CSP reference at content-security-policy dot com
Firefox Aurora now Supports Content Security Policy 1.0 was first published on May 31, 2013.
If you like reading about security, xss, csp, content-security-policy, firefox, or chrome then you might also like:
- One liner to download a Browser with PowerShell on Windows Server
- Sessions don't work in Chrome but do in IE
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- HackMyCF Scanner Updated
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).