Mozilla Experiments With Site Security Policy

An anonymous reader writes "Mozilla has opened comments for an new experimental browser security policy, dubbed Site Security Policy (SSP), designed to protect against XSS, CSRF, and malware-laced IFRAME attacks which infected over 1.5 million pages Web earlier this year. Security experts and developers are excited because SSP extends control over Web 2.0 applications that allow users to upload/include potentially harmful HTML/JavaScript such as on iGoogle, eBay Auction Listings, Roxer Pages, Windows Live, MySpace / Facebook Widgets, and so on. Banner ads from CDNs have had similar problems with JavaScript malware on social networks. The prototype Firefox SSP add-on aims to provide website owners with granular control over what the third-party content they include is allowed to do and where its supposed to originate. No word if Internet Explorer or Opera will support the initiative."

Re:Why not just include NoScript by default?

[sec_login_test]

NoScript is designed so the user can protect themselves. SSP is designed so that the website owner can protect users from other users, malicious widget developers, or perhaps unscrupulous CDNs.

Re:Why not just include NoScript by default?

unscrupulous Canadians?

FINALLY

[LeafOnTheWind]

As someone who has worked in web security, let me say that many of us have been begging for stricter control over security protocols for years. With all the AJAX going around, more and more sites are proving vulnerable to browsers that are just too friendly with the same-origin policy. If you check out the OWASP Top 10, you'll see that a whole bunch of these attacks could be prevented by better browser security.

The best case would be a restructuring Javascript and the DOM as well, but I would be excited to see any increased security. After I used a reflected XSS attack to essentially gain control over a client's browser and all their cookies last year, I don't trust any web application.

Re:FINALLY

[hedwards]

This seems like something that would be very useful in this day and age. Noscript ends up being very annoying because a lot of sites will link in a large number of scripts from other servers. It's difficult a lot of the time because you really have to investigate to know what akamai.net does for example, and then there's admdt.com and the like. The list is often times 20 different sites without a good way of restricting the permissions to just the current site.

I block everything by default, and rarely allow things permanent permissions, but trying to figure out which one is causing the site to not work is a real pain in the ass. Really it's something which shouldn't be expected of a user. the JSON ans XSS vulnerabilities really ought to be enough to convince at least financial institutions not to include that kind of crap on their sites.

But of course, this assumes that the system works, is well designed and protects against the things that developers really shouldn't be doing automatically. But I'll be giving it a whirl just to see if it helps at all.

Re:Very confusing.

[mikeazo]

because the server specifies the site policy. the browser uses the site policy to know what to block. if I am running my site and have my policy set up correctly, if an XSS is found in my site and an attacker tries to exploit it, hopefully my policy is defined well enough that a browser knows not to run the attacker's javascript. so the browser doesn't help the server, the server helps the browser know what it should run and what it shouldn't.

Re:Very confusing.

[pavon]

Say you are a webmaster. You serve pages that you generate and trust them. However, some third parties would like to include content on your pages that is served from servers that you don't control. For example advertisements - these are almost always served from a different computer than the main webpage. Another example is embedded content from another site like a YouTube movie, or all these little panels that the social networking sites are starting to introduce. This gets worse when users themselves are allowed to put this sort of content on your site (say you run a forum or social networking site).

Because you don't control these web servers, the content they are serving could be replaced with malicious content, or just content that goes beyond what you gave them permission to do. Or a user could intentionally post malicious content.

This allows a webmaster to indicate what third party content is allowed on any page (if any), and what that third party content is allowed to do (text, images, animated images, javascript, plugins, etc). The web-browser then enforces the rules that the webmaster set.

Additional Information

[mrkitty]

This is something a lot of us in the industry have been writing about. Here's my rant from last October Browser Security: I Want A Website Active Content Policy File Standard!
http://www.cgisecurity.com/2007/11/08

Jeremiah Grossman's thoughts
http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html

Re:Whos Job Is It? - Security

[rgviza]

If you care about your machine and what happens to it, it's your job. If you just want to flail around in anger when your box becomes a big paperweight, leave it up to someone else.

It's the job of the authorities to lock up the crackers and other people that commit electronic crimes. It's your job to lock your front door.

At the end of the day, the authorities and your ISP can't do anything until the threat is known. By then the damage is done.

99.9% of stuff can be mitigated with NoScript, a $50 firewall, and a slight change in behavior (stop trying to steal music, porn, movies and software). If you can't take these steps, I'm genuinely amazed that you are capable of showering, starting your car and driving to work and functioning. Most people can, but won't. It sort of flows into that whole "not accepting responsibility for stuff I do" attitude that pervades modern society.

Typical transaction:
Dumbass (to self): Sweet I just got the entire collection of every rolling stones song ever made for free! 8)
>click
Computer: all of your files are belong to us. Send payment to uvebeenpwned@yahoo.com or you won't get your files back, MU HU HA HA.

Dumbass (to IT buddy): My computer is running slow and all my files got encrypted. I think I have spyware.
IT Buddy: You use p2p?
Dumbass: no, I have no idea what happened, I swear I dun't download... /snicker

-r

Re:Maybe OT... probably not

[klui]

What you've described is an RSA SecurID one-time-password. It may appear that your father's fob communicated with the remote server, but the truth is each fob has a unique seed and a clock that creates one-time-passwords based on the value of its clock and an optional salt (PIN). The remote server that validates the OTP knows the seed of your father's fob and is able to authenticate each password it receives. After each valid authentication the passcode is discarded and cannot be used again (within limits of the passcode length). The system allows for clock skew between the fob and the validating server. Current system functionality may have changed as this description is quite old.

SSL + SSP = Safer Web Apps

[Giorgio+Maone]

As I commented here, SSL and SSP are orthogonal technologies whose correct and joint adoption should be required for any website performing sensitive transactions: the former ensuring integrity and, to a certain extent, identity; the latter defining and guarding application boundaries.

Those websites should encourage their users to adopt a SSP complaint browser, and complaint browsers should educate users to prefer SSP complaint sites with visual clues, just like we're already doing with EV-SSL (and for better reasons in this case, maybe).

On my side, I'm considering to highlight valid SSL + restrictive SSP websites as more reliable candidates for NoScript whitelisting.