Cenzic 232 Patent
Paid Advertising
web application security lab

Mozilla’s Content Security Policy

Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous. In reality I’ve been talking about this for close to 5 years privately with the Mozilla team - back when their offices were about 2000 square feet and the entire office smelled like feet. Ahh, those were the days. Well, we are creeping very close to seeing Content Restrictions (now named Content Security Policy) in reality, finally! Thanks in huge part to Gerv and Brandon over at Mozilla.

I hear rumors that it should be released in Firefox-next (also known as 3.6 - scheduled for early to mid 2010). So give it another year or so and we should have a workable defense against XSS on pages that must allow user submitted HTML and JavaScript - think eBay, MySpace, and so on. The only trick is making sure the companies who have these problems have projects in their pipelines to use this header once it becomes live. So if you happen to know someone who works for a company who has this problem or happen to work there yourself, please make sure others are aware of this well ahead of time. I for one am very excited to see this approaching reality after all these years, and I encourage you to watch their website for updates if you are at all interested in building user submitted widgets and the like.

On a less thrilling note it also has some clickjacking defenses in it, but just like Microsoft’s X-FRAME-OPTIONS header, I think it’s really not particularly interesting, it’s an opt-in model and clickjacking is so prevalent as an avenue for attack. Opt in security models work on sites that know they’ve got a problem (like user submitted HTML and JS) not on sites that don’t know they’ve got a problem (like wireless access points and web enabled firewalls). Alas - I digress, and I don’t mean to diminish the overall positives of this solve. Indeed, I’m very excited by the future of Content Security Policy as it may make surfing “fun” sites safe again - even with JavaScript and Flash enabled! Wouldn’t that be a crazy thought?

In unrelated news, I did a podcast with Dennis Fisher over at Threatpost on some of the RFC1918 issues I discussed a few weeks back and Slowloris. If you’re interested, please feel free to have a listen!

5 Responses to “Mozilla’s Content Security Policy”

  1. bobthebuilder Says:

    cheers for that.

    You’ve got a typo “Indded” sorry can’t helpmyself.

  2. Denis Says:

    There is one thing I don’t get : why should browser security be raised on some selected portions of sites only ? If a site like myspace or ebay works with “Content Security Policy” enabled then I guess any site could work as well…

  3. RSnake Says:

    @Denis - because most sites don’t intentionally allow user generated content that includes HTML and JavaScript and they wouldn’t want to bother limiting themselves for no good reason. If more sites started allowing full blown HTML and JavaScript then yes, this would apply to them too. For now though the problem is fairly isolated to only a relatively small amount of sites.

    The more likely problem is that far more websites inadvertently allow JavaScript and HTML that they shouldn’t. CSP may help with that if they take this precaution but still don’t want to actually fix their site, but that’s definitely not CSP’s primary focus.

  4. fm Says:

    What about IE, Opera, Konquer etc. on CSP? And how can we expect Ebay, myspace etc. to rely on CSP before 5 years? They have to wait for all their users to start using a browser with CSP support.

    It’s definitely a remarkable thing in web app sec but in reality it’s gonna take another 4-5 years to getting there.

  5. RSnake Says:

    @fm - It’s a fairly small project to use it on your site, so I seriously doubt it’ll take them 5 years. I think a year from the day it becomes live is a more realistic expectation for MySpace and eBay (I can’t comment on other sites). But you are absolutely correct about the other browsers. Anyone who doesn’t use Mozilla will be putting themselves at greater risk on those sites until those browsers adopt this concept or something similar.