Avast WEBforum
Other => General Topics => Topic started by: polonus on February 02, 2009, 05:46:29 PM
-
Hi malware fighters,
The last 3 years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 has seen dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.
CSP is a new policy introduced inside the Fx and Flock browser to get accustomed to the idea and a proof-of-concept.....
To read more about this initiative:
http://people.mozilla.org/~bsterne/content-security-policy/index.html
To download and install into your browser: http://people.mozilla.org/~bsterne/content-security-policy/content-security-policy.xpi
or rather and safely so: https://addons.mozilla.org/nl/firefox/addon/7478
You can toggle the add-on off and on where it sits in the browser and Content Security Policy will be fully backward compatible and will not affect sites or browsers which don't support it. Non-supporting browsers will disregard the Content Security Policy header and will default to the standard Same-Origin policy for webpage content. Another discussion on CSP here:
http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html
I have it now installed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090202 Minefield/3.2a1pre ID:20090202033956 (enforced it with Nightly Tester Tools),
OK and keep NoScript installed, this is not a replacement for that Cop inside your Browser...
and here is another view and proposal for this problem:
http://www.cgisecurity.com/2007/11/browser-securit.html
polonus