Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Experiments With Site Security Policy

Posted by ScuttleMonkey on from the security-catching-up-with-web-2.0 dept.

An anonymous reader writes "Mozilla has opened comments for an new experimental browser security policy, dubbed Site Security Policy (SSP), designed to protect against XSS, CSRF, and malware-laced IFRAME attacks which infected over 1.5 million pages Web earlier this year. Security experts and developers are excited because SSP extends control over Web 2.0 applications that allow users to upload/include potentially harmful HTML/JavaScript such as on iGoogle, eBay Auction Listings, Roxer Pages, Windows Live, MySpace / Facebook Widgets, and so on. Banner ads from CDNs have had similar problems with JavaScript malware on social networks. The prototype Firefox SSP add-on aims to provide website owners with granular control over what the third-party content they include is allowed to do and where its supposed to originate. No word if Internet Explorer or Opera will support the initiative."

4 of 68 comments (clear)

  1. Re:Why not just include NoScript by default? by sec_login_test · · Score: 5, Informative

    NoScript is designed so the user can protect themselves. SSP is designed so that the website owner can protect users from other users, malicious widget developers, or perhaps unscrupulous CDNs.

  2. Re:Very confusing. by mikeazo · · Score: 5, Informative

    because the server specifies the site policy. the browser uses the site policy to know what to block. if I am running my site and have my policy set up correctly, if an XSS is found in my site and an attacker tries to exploit it, hopefully my policy is defined well enough that a browser knows not to run the attacker's javascript. so the browser doesn't help the server, the server helps the browser know what it should run and what it shouldn't.

  3. Re:Very confusing. by pavon · · Score: 5, Informative

    Say you are a webmaster. You serve pages that you generate and trust them. However, some third parties would like to include content on your pages that is served from servers that you don't control. For example advertisements - these are almost always served from a different computer than the main webpage. Another example is embedded content from another site like a YouTube movie, or all these little panels that the social networking sites are starting to introduce. This gets worse when users themselves are allowed to put this sort of content on your site (say you run a forum or social networking site).

    Because you don't control these web servers, the content they are serving could be replaced with malicious content, or just content that goes beyond what you gave them permission to do. Or a user could intentionally post malicious content.

    This allows a webmaster to indicate what third party content is allowed on any page (if any), and what that third party content is allowed to do (text, images, animated images, javascript, plugins, etc). The web-browser then enforces the rules that the webmaster set.

  4. Additional Information by mrkitty · · Score: 5, Informative

    This is something a lot of us in the industry have been writing about. Here's my rant from last October Browser Security: I Want A Website Active Content Policy File Standard!
    http://www.cgisecurity.com/2007/11/08

    Jeremiah Grossman's thoughts
    http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html

    --
    Believe me, if I started murdering people, there would be none of you left.