Pete Freitag Pete Freitag

Firefox Aurora now Supports Content Security Policy 1.0

Updated on December 07, 2023
By Pete Freitag
web

Today with the release of Mozilla Firefox Aurora 23, support for Content Security Policy or CSP using the un-prefixed, W3C standard header Content-Security-Policy has landed. Firefox has had experimental support for CSP since FireFox 4, using the header X-Content-Security-Policy. Google Chrome has supported the standard Content-Security-Policy header since earlier this year, prior to that you had to use a X-Webkit-CSP header.

What is Content-Security-Policy?

CSP allows you to specify a policy via a HTTP response header that dictates how additional content can be loaded. You can use CSP to dictate how and where JavaScript, CSS, Images, and pretty much anything else you can embed into a HTML document is loaded. When CSP is in place, and the victim is using a browser that supports CSP, it makes it very difficult for a Cross Site Scripting (XSS) attack to be successful.

Here's a quick example that requires all javascript to be loaded from the same origin of the current page ('self' in CSP lingo), or from cdn.example.com:

Content-Security-Policy: script-src 'self' js.example.com;

Now if an attacker tries to load a script like this:

<script src="https://hacker.example.net/hack.js"></script>

The browser will block the script from loading. Content-Security-Policy will also by default prevent inline scripts from loading in the page, you can allow them by adding unsafe-inline but then you loose much of the benefits of CSP. In CSP 1.1 there is an experimental directive called nonce which allows you to whitelist certain inline scripts.

I created a quick handy CSP reference at content-security-policy dot com



security xss csp content-security-policy firefox chrome

Firefox Aurora now Supports Content Security Policy 1.0 was first published on May 31, 2013.

If you like reading about security, xss, csp, content-security-policy, firefox, or chrome then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).