Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Firefox Standard Aims to Combat Cross-Site Scripting

Posted by ScuttleMonkey on from the fight-the-good-fight dept.

Al writes "The Mozilla foundation is to adopt a new standard to help web sites prevent cross site scripting attacks (XSS). The standard, called Content Security Policy, will let a website specify what Internet domains are allowed to host the scripts that run on its pages. This breaks with Web browsers' tradition of treating all scripts the same way by requiring that websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts. The Mozilla Foundation selected the implementation because it allows sites to choose whether to adopt the restrictions. 'The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites,' Brandon Sterne, security program manager for Mozilla, wrote on the Mozilla Security Blog. 'If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'"

2 of 160 comments (clear)

  1. Cost vs. Benefit? by spydabyte · · Score: 3, Interesting

    If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'

    The author gave the best reason for not implementing this.

    The benefits of this, and other various security implementations, won't be seen until it's tested. The costs of testing? Way too high compared to the current cost of operation. This is a very hard proof-of-concept problem, and unless this is already built into development standards, I doubt any deployments would switch.
    Which would you take, the option which delays production for a week, or the option to just hit "next"?

  2. Re:Good idea by the_other_chewey · · Score: 5, Interesting

    If I say that my site trusts domain1.com, but domain1.com isn't using this and ends up having all sorts of dodgy scripts they're passing along, would this block them, or would they count as coming from domain1.com?

    Domain1 woudn't need to use this - this is a client-side security measure. If your site uses it and declares trusted third-parties, it's enough.
    Also, what is "passing along" supposed to mean? Scripts (or any other stuff) would either come from domain1 or not. If not, it wouldn't be trusted.
    If domain1 proxies scripts from other sources, this means they come from domain1, as far as HTTP is concerend - and they would be trusted.

    The problem I see however is domain1 declaring additional trusted domains when delivering its scripts, thereby allowing for "cascaded domain trust", which
    would pretty much defeat the new system. This can easily be prevented by not accepting additional trusted domains from elements that are third-party though.