CSP 1.0 Added to Firefox to Block XSS Attacks

TheKid7 · Jun 12, 2013

CSP 1.0 Added to Firefox to Block XSS Attacks:

After years of discussion and waiting, Mozilla has finally added Content Security Policy 1.0, a defense against some common attacks such as XSS, to its Firefox browser. CSP already has been implemented in Google Chrome and Internet Explorer and there was a limited implementation of it in Firefox previously, beginning in 2011, but this is the first time the approved 1.0 specification has been implemented in Firefox.

CSP is a specification designed to help limit the sources of content that can run on a given Web site. One of the ways that attackers compromise users’ machines by inserting malicious scripts on a target Web page. Sites today often pull content from multiple different sources, including social networking sites, ad networks and other sites, and it’s difficult for site owners to validate whether each of those pieces of content is safe. Cross-site scripting attacks take advantage of this weakness...........
Click to expand...

http://threatpost.com/csp-1-0-added-to-firefox-to-block-xss-attacks/

Alhaitham · Jun 12, 2013

thanks

ZeroDay · Jun 12, 2013

Thanks for the share.

BoerenkoolMetWorst · Jun 13, 2013

Nice, but the article forgot to state in which version it is added, but I found it:

Now in desktop Firefox 23 (Aurora) and later. Firefox for Android and Firefox OS soon to follow.
Click to expand...

harsha_mic · Jun 13, 2013

I guess adding noscript, would block the xss attacks. Isn't it?
Anything benefit implementing this to the user, which does not provide by no script? I know, by default firefox would be more safer which is a very good thing.

BoerenkoolMetWorst · Jun 20, 2013

harsha_mic said:

I guess adding noscript, would block the xss attacks. Isn't it?
Anything benefit implementing this to the user, which does not provide by no script? I know, by default firefox would be more safer which is a very good thing.
Click to expand...

Before this, NS's XSS protection was way better than Firefox's, but I don't know how it compares against FF with CSP 1.0

tlu · Jun 21, 2013

BoerenkoolMetWorst said:

Before this, NS's XSS protection was way better than Firefox's, but I don't know how it compares against FF with CSP 1.0
Click to expand...

Both approaches are completely different. CSP improves server-side security (if, and only if, the Content-Security-Header is added to the website and the policy is correctly applied), while Noscript improves client-side security by filtering malicious cross-site requests. Once CSP is applied to all websites, the anti-XSS filter in Noscript is theoretically superfluous. But that's like all my Christmases have come at once if you ask me ...

BTW: A nice introduction to CSP is this one.

Log in or Sign up

CSP 1.0 Added to Firefox to Block XSS Attacks

TheKid7 Registered Member

Alhaitham Registered Member

ZeroDay Registered Member

BoerenkoolMetWorst Registered Member

harsha_mic Registered Member

BoerenkoolMetWorst Registered Member

tlu Guest

Log in or Sign up

CSP 1.0 Added to Firefox to Block XSS Attacks

TheKid7 Registered Member

Alhaitham Registered Member

ZeroDay Registered Member

BoerenkoolMetWorst Registered Member

harsha_mic Registered Member

BoerenkoolMetWorst Registered Member

tlu Guest

Useful Searches