The Mozilla Foundation released on Wednesday a preview version of the Firefox browser that implements a technology to protect against scripting attacks.

The technology, known as Content Security Policy, allows Web sites to specify restrictions on how they handle scripts. Using CSP, a Web site can create a white list of sites from which the browser should accept scripts as well as mandate that the scripts are labeled as applications and are not obfuscated. A number of other features are also available, all aiming to prevent malicious scripts from executing in the context of the current site.

Content Security Policy is based on recommendations made by Robert “rsnake” Hansen back in 2005. Most browsers treat all scripts the same, executing in the context of the current site, no matter where they originated. The defacto policy is what allowed untrusted ads on The New York Times site to recently serve up malicious software to visitors and allowed the Samy and other Web worms to spread. Content Security Policy allows sites to tell browsers which scripts should be allowed as well as additional restrictions on scripting. –

http://www.securityfocus.com/brief/1019

Here are the results of my test using 3.5 first and the preview build second:


You can try the demo out here:

http://people.mozilla.org/~bsterne/content-security-policy/demo.cgi

As of September 30, 2009 Content Security Policy is availble for testing. You can download a CSP-enabled preview build from Mozilla’s Try Server which produces builds on all supported platforms.

http://people.mozilla.org/~bsterne/content-security-policy/download.html