Cenzic 232 Patent
Paid Advertising
web application security lab

Call for Input on Content Security Policy

For those of you who have been following the much anticipated Content Security Policy - you’ll be excited to know it’s currently available for early preview. The guys at Mozilla have a blog post explaining the details of where Content Security Policy is and asking for input. As you’d expect it’s not as full featured as it will probably end up being when it finally gets released, but if you want a chance to tell Mozilla what you think, this is the place to go.

They also include a demo page so that you don’t have to do your own development, you can just try it out right on their site. The demo page can be found here. For anyone interested in solving XSS issues on sites that need to allow it by policy (because of user demand), this is something you should definitely look into. Come to think of it, user generated HTML kind of reminds me of this picture. If it seems like a bad idea, it probably is - but maybe we can make a bad idea worth it after all:

4 Responses to “Call for Input on Content Security Policy”

  1. rvdh Says:

    On a quick glance, it looks pretty good. I personally don’t have the time to review it, but I hope others have. This is a big issue of which I hope will make a big step forward in the way one which can prevent non-same-origin abuse. (linking content like images/flash violates it) I’m interested in the results.

  2. catsophie Says:

    The preview build link does not work. Maybe they will put it later?

  3. Lincoln Yeoh Says:

    Hope they succeed in making something safe, usable and popular.

    I’ve been waiting for (and proposing) something like this for years.

    e.g. http://lists.w3.org/Archives/Public/www-html/2002May/0021.html

    http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html

    My suggestion was far more crude and primitive of course, but it still would have stopped the myspace and other worms.

  4. Brandon Sterne Says:

    @catsophie:

    Thanks for pointing this out. The TryServer builds get auto-expired after two weeks (which I forgot), so I rebuilt them and put them in a permanent location:
    http://people.mozilla.org/~bsterne/content-security-policy/download.html

    Please resume banging on the test builds!