Mozilla Experiments With Site Security Policy

An anonymous reader writes "Mozilla has opened comments for an new experimental browser security policy, dubbed Site Security Policy (SSP), designed to protect against XSS, CSRF, and malware-laced IFRAME attacks which infected over 1.5 million pages Web earlier this year. Security experts and developers are excited because SSP extends control over Web 2.0 applications that allow users to upload/include potentially harmful HTML/JavaScript such as on iGoogle, eBay Auction Listings, Roxer Pages, Windows Live, MySpace / Facebook Widgets, and so on. Banner ads from CDNs have had similar problems with JavaScript malware on social networks. The prototype Firefox SSP add-on aims to provide website owners with granular control over what the third-party content they include is allowed to do and where its supposed to originate. No word if Internet Explorer or Opera will support the initiative."

Re:Why not just include NoScript by default?

unscrupulous Canadians?

Anonymous Answers Itself

Q: Why not just include NoScript by default?

A: NoScript's security can get kind of annoying sometimes

pages Web

[HTH+NE1]

which infected over 1.5 million pages Web earlier this year. That reminds me: I need to update my page Web.

Re:Why not just include NoScript by default?

[onkelonkel]

No such thing. We're all totally scrupulous.

Re:Why not just include NoScript by default?

[rootofevil]

No such thing. We're all totally scrupulous. if you had ended that sentence with ', eh' or mentioned one or more of the following: ice, mooses, the yukon. i would have believed you.

it's just not sufficient protection

[fred+fleenblat]

In all likelihood it will be years before the enabling technology is in place to prevent the most vicious malware of all, the dreaded rickroll.