The new Content Security Policy introduced by Mozilla is meant to handle cross-site scripting attacks by allowing sites to establish rules that impose specific restrictions to the web content trusted by web browsers.
It is known that many websites have been compromised over the past years due to the lack of a high level of security at the XSS level, allowing attackers to take advantage of the weaknesses and inject rogue IFrames and other code into websites.
This type of IFrames is used even on large websites for attacking visitors and Mozilla came with the idea of a new mechanism that websites should apply to allow browsers know which content is safe and can be accepted.
The changes at the JavaScript level, resulting after applying this specification, would be major, if compared to how today’s websites work, and one of them would be to trust only JavaScript code loaded from external files. Using this method, the XSS attacks would lose effectiveness. Secondly, according to the new the specification, websites would know how to recognize trusted hosts where the JavaScript code loads from.
How would this affect large websites? –Well, according to Mozilla, developers will have to spend more on implementation and that’s why they’ll need to adopt the specification gradually, until programmers will manage to move all the JavaScript code into external files.
These are only the general aspects mentioned by Mozilla. The new technology will be implemented in the near future and included in upcoming Firefox releases.
Related posts:
No comments yet.
RSS feed for comments on this post. TrackBack URL
