Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Experiments With Site Security Policy

Posted by ScuttleMonkey on from the security-catching-up-with-web-2.0 dept.

An anonymous reader writes "Mozilla has opened comments for an new experimental browser security policy, dubbed Site Security Policy (SSP), designed to protect against XSS, CSRF, and malware-laced IFRAME attacks which infected over 1.5 million pages Web earlier this year. Security experts and developers are excited because SSP extends control over Web 2.0 applications that allow users to upload/include potentially harmful HTML/JavaScript such as on iGoogle, eBay Auction Listings, Roxer Pages, Windows Live, MySpace / Facebook Widgets, and so on. Banner ads from CDNs have had similar problems with JavaScript malware on social networks. The prototype Firefox SSP add-on aims to provide website owners with granular control over what the third-party content they include is allowed to do and where its supposed to originate. No word if Internet Explorer or Opera will support the initiative."

7 of 68 comments (clear)

  1. Re:Why not just include NoScript by default? by sec_login_test · · Score: 5, Informative

    NoScript is designed so the user can protect themselves. SSP is designed so that the website owner can protect users from other users, malicious widget developers, or perhaps unscrupulous CDNs.

  2. FINALLY by LeafOnTheWind · · Score: 4, Informative

    As someone who has worked in web security, let me say that many of us have been begging for stricter control over security protocols for years. With all the AJAX going around, more and more sites are proving vulnerable to browsers that are just too friendly with the same-origin policy. If you check out the OWASP Top 10, you'll see that a whole bunch of these attacks could be prevented by better browser security.

    The best case would be a restructuring Javascript and the DOM as well, but I would be excited to see any increased security. After I used a reflected XSS attack to essentially gain control over a client's browser and all their cookies last year, I don't trust any web application.

  3. Re:Very confusing. by mikeazo · · Score: 5, Informative

    because the server specifies the site policy. the browser uses the site policy to know what to block. if I am running my site and have my policy set up correctly, if an XSS is found in my site and an attacker tries to exploit it, hopefully my policy is defined well enough that a browser knows not to run the attacker's javascript. so the browser doesn't help the server, the server helps the browser know what it should run and what it shouldn't.

  4. Re:Very confusing. by pavon · · Score: 5, Informative

    Say you are a webmaster. You serve pages that you generate and trust them. However, some third parties would like to include content on your pages that is served from servers that you don't control. For example advertisements - these are almost always served from a different computer than the main webpage. Another example is embedded content from another site like a YouTube movie, or all these little panels that the social networking sites are starting to introduce. This gets worse when users themselves are allowed to put this sort of content on your site (say you run a forum or social networking site).

    Because you don't control these web servers, the content they are serving could be replaced with malicious content, or just content that goes beyond what you gave them permission to do. Or a user could intentionally post malicious content.

    This allows a webmaster to indicate what third party content is allowed on any page (if any), and what that third party content is allowed to do (text, images, animated images, javascript, plugins, etc). The web-browser then enforces the rules that the webmaster set.

  5. Re:Good news for Phorm victims? by whitehatlurker · · Score: 2, Informative
    Not from what I understand of Phorm. You'd need to browse over encrypted connections so that the ISP hosted proxy can't (literally) read your email. (Or your visits to /. or lolcatz or whatever.)

    Their demo page surprised me. I didn't think that stuff would work. If the add-on stops that from being exploitable, it is a good thing, even if it doesn't prevent MITM attacks.

    --
    .. paranoid crackpot leftover from the days of Amiga.
  6. Additional Information by mrkitty · · Score: 5, Informative

    This is something a lot of us in the industry have been writing about. Here's my rant from last October Browser Security: I Want A Website Active Content Policy File Standard!
    http://www.cgisecurity.com/2007/11/08

    Jeremiah Grossman's thoughts
    http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html

    --
    Believe me, if I started murdering people, there would be none of you left.
  7. Re:Maybe OT... probably not by klui · · Score: 4, Informative

    What you've described is an RSA SecurID one-time-password. It may appear that your father's fob communicated with the remote server, but the truth is each fob has a unique seed and a clock that creates one-time-passwords based on the value of its clock and an optional salt (PIN). The remote server that validates the OTP knows the seed of your father's fob and is able to authenticate each password it receives. After each valid authentication the passcode is discarded and cannot be used again (within limits of the passcode length). The system allows for clock skew between the fob and the validating server. Current system functionality may have changed as this description is quite old.