Author Topic: Content Security Policy for Fx get accustomed to it now....  (Read 1512 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32770
  • malware fighter
Content Security Policy for Fx get accustomed to it now....
« on: February 02, 2009, 05:46:29 PM »
Hi malware fighters,

The last 3 years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 has seen dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.

CSP is a new policy introduced inside the Fx and Flock browser to get accustomed to the idea and a proof-of-concept.....
To read more about this initiative:
http://people.mozilla.org/~bsterne/content-security-policy/index.html

To download and install into your browser: http://people.mozilla.org/~bsterne/content-security-policy/content-security-policy.xpi
or rather and safely so: https://addons.mozilla.org/nl/firefox/addon/7478

You can toggle the add-on off and on where it sits in the browser and  Content Security Policy will be fully backward compatible and will not affect sites or browsers which don't support it. Non-supporting browsers will disregard the Content Security Policy header and will default to the standard Same-Origin policy for webpage content. Another discussion on CSP here:
http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html

I have it now installed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090202 Minefield/3.2a1pre ID:20090202033956 (enforced it with Nightly Tester Tools),

OK and keep NoScript installed, this is not a replacement for that Cop inside your Browser...
and here is another view and proposal for this problem:
http://www.cgisecurity.com/2007/11/browser-securit.html

polonus
« Last Edit: February 02, 2009, 11:25:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!