Firefox Aurora now Supports Content Security Policy 1.0
Today with the release of Mozilla Firefox Aurora 23, support for Content Security Policy or CSP using the unprefixed, W3C standard header
Content-Security-Policy has landed. Firefox has had experimental support for CSP since FireFox 4, using the header
X-Content-Security-Policy. Google Chrome has supported the standard
Content-Security-Policy header since earlier this year, prior to that you had to use a
What is Content-Security-Policy?
'self' in CSP lingo), or from cdn.example.com:
Content-Security-Policy: script-src 'self' js.example.com;
Now if an attacker tries to load a script like this:
The browser will block the script from loading. Content-Security-Policy will also by default prevent inline scripts from loading in the page, you can allow them by adding
unsafe-inline but then you loose much of the benefits of CSP. In CSP 1.1 there is an experimental directive called
nonce which allows you to whitelist certain inline scripts.
I created a quick handy CSP reference at content-security-policy.com
Like this? Follow me ↯Tweet Follow @pfreitag
Firefox Aurora now Supports Content Security Policy 1.0 was first published on May 31, 2013.
If you like reading about security, xss, csp, content-security-policy, firefox, or chrome then you might also like:
- One liner to download a Browser with PowerShell on Windows Server
- Sessions don't work in Chrome but do in IE
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- HackMyCF Scanner Updated
- Using AntiSamy with ColdFusion
- Cross Domain Data Theft using CSS
- Risks of FCKeditor Vulnerability in ColdFusion 8
- Firefox 3.5 Introduces Origin Header, Security Features
Want Security Advisories via Email?
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).