New Firefox Standard Aims to Combat Cross-Site Scripting

← Back to Stories (view on slashdot.org)

New Firefox Standard Aims to Combat Cross-Site Scripting

Posted by ScuttleMonkey on Monday June 29, 2009 @10:06AM from the fight-the-good-fight dept.

Al writes "The Mozilla foundation is to adopt a new standard to help web sites prevent cross site scripting attacks (XSS). The standard, called Content Security Policy, will let a website specify what Internet domains are allowed to host the scripts that run on its pages. This breaks with Web browsers' tradition of treating all scripts the same way by requiring that websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts. The Mozilla Foundation selected the implementation because it allows sites to choose whether to adopt the restrictions. 'The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites,' Brandon Sterne, security program manager for Mozilla, wrote on the Mozilla Security Blog. 'If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'"

38 of 160 comments (clear)

as an end user by Anonymous Coward · 2009-06-29 10:13 · Score: 2, Insightful

I really hope the default policy is "only allow scripts from the current domain" and "do not allow the site to override my choice".
1. Re:as an end user by seifried · 2009-06-29 10:26 · Score: 3, Informative
  
  It doesn't quite work that way, it's much more fine grained, i.e. as a site owner I can say something like:
  allow /foo/bar.cgi?weird looking strings and block anything else
  so if an attacker finds a cross-site scripting flaw in say "/login.php" the client won't accept it, protecting my client, and protecting the site owner as well (bad guys aren't harvesting credentials from users, etc.).
2. Re:as an end user by Arker · 2009-06-29 13:32 · Score: 2, Interesting
  
  I really hope the default policy is "only allow scripts from the current domain" and "do not allow the site to override my choice".
  Noscript does this.
  Which brings me to the observation that, at least as far as I can tell from the blurb, this entire thing sounds a bit redundant in light of the ready availability of Noscript. Why not just make it part of the default firefox install instead?
  
  --
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Friends don't let friends enable ecmascript.
3. Re:as an end user by Spad · 2009-06-29 17:53 · Score: 4, Insightful
  
  Because, as a user I might not know which of the 47 different domains that CNN pulls scripts from are *supposed* to be serving scripts and which are some guy trying to get my facebook account details (not that I have one or read the CNN site regularly; largely because of the number of bloody domains they pull scripts from), whereas the owners of the CNN site *will* know which domains they're supposed to be pulling scripts from and can state so to the browser.
4. Re:as an end user by Arker · 2009-06-29 18:15 · Score: 2, Insightful
  
  Because, as a user I might not know which of the 47 different domains that CNN pulls scripts from are *supposed* to be serving scripts and which are some guy trying to get my facebook account details (not that I have one or read the CNN site regularly; largely because of the number of bloody domains they pull scripts from), whereas the owners of the CNN site *will* know which domains they're supposed to be pulling scripts from and can state so to the browser.
  Sounds like a bug rather than a feature to me. This would just enable CNN and others to continue the practice, removing any pressure on them to fix their broken website.
  
  --
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Friends don't let friends enable ecmascript.
5. Re:as an end user by xouumalperxe · 2009-06-30 01:01 · Score: 4, Insightful
  
  NoScript solves a different problem, which is that you don't trust the site. What this aims to solve is the problem of knowing what the site itself considers trustworthy, so that you're not required to issue a blanket statement of distrust: If you trust the site, you can (supposedly) trust its own trust list.
How does this change userland? by Red+Flayer · 2009-06-29 10:18 · Score: 4, Insightful

I will still run with noscript installed because I've yet to see a good XSS-preventing implementation that will allow *me*, as a user, to easily define what sites can run scripts on the sites I visit. And when I visit a site where I need to disable noscript, I have no other tabs/browsers open.

I'm sorry, but NO site can be trusted 100% from a user's perspective... and giving site owners the tools to help prevent XSS from their side doesn't help with the fact that users still shouldn't trust absolutely.

The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.

Of course, I'm slightly paranoid. And of course, this isn't transparent to Joe Sixpack, so he's going to trust|!trust based on whatever it is he's basing it on now. And for security-critical sites like banks, this is a good thing... but I try very hard to make sure my friends & family are a bit paranoid too, so they'll take precautions.

--
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
1. Re:How does this change userland? by Red+Flayer · 2009-06-29 10:52 · Score: 3, Insightful
  
  How are *you* going to know that it is ok to run scripts on Slashdot.org that originate from slashdotscripts.com and not scriptsforslashdot.com? Even if you are a lunatic and micromanage the trusted sources of these scripts, how would selectively running any of them do you any good?
  Dare I say it?
  
  Site XXXX is attempting to run a script on site YYYY.
  (C)ANCEL or (A) LLOW?
  
  All snark aside, why would I allow either of those domains to run a script on slashdot.org? Since I trust slashdot to a certain extent, I would allow from scripts.slashdot.org. But allowing scripts from a completely different domain? No way.
  
  The point is that my security policy is annoying to implement. For site mybank.com I need to enable scripting. But if things were perfect, I could enable only for scripts from $SUBDOMAIN.mybank.com, so I don't get hosed by scripts from $HACKERSITE.bankmy.com. And if legitimate sites are hosting their scripts from an entirely different domains... well, that would have to change. Instead I have to take an all-or-none approach, since the sites I need security the most on are the ones where I need to enable scripting. That just sucks.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
2. Re:How does this change userland? by Anonymous Coward · 2009-06-29 11:04 · Score: 2, Interesting
  
  That reminds me -- since recently I have to tell NoScript to allow scripts from fsdn.com in order to browse slashdot.org successfully. I *know* that FSDN is slashdot's parent company, but it doesn't seem right that I can't use slashdot's discussion interface without giving permission to all of FSDN.
  Similarly, recently I have to allow gstatic.com and/or googleapis.com to use Google-enabled websites that worked fine before.
  Like the parent post's point: it's getting harder for a user to selectively narrow permissions down.
3. Re:How does this change userland? by maxume · 2009-06-29 11:13 · Score: 2, Insightful
  
  Slashdot is currently pushing js from c.fsdn.com.
  I think you have a pretty dim view of the ecosystem (or maybe you are viewing some really marginal sites, who knows). For the most part, a given page that you visit is not going to contain malicious code that sniffs for when you have a https cookie for your banking site and then mysteriously steals all your money. I say this confidently, as I am quite certain that the bad guys are much happier with the simpler task of installing mal-ware keyloggers.
  The only browser exploit I have personally encountered came from the server getting compromised (well, the account for a domain, probably not the whole server); obfuscated javascript had been appended to the bottom of a javascript file that the page loaded (the attack was a pdf, but I had that particular exploit locked down (or it didn't work in the version of Reader I use...), so no issues). Entertainingly, it was a blog post about web security (I let them know and they fixed it).
  
  --
  Nerd rage is the funniest rage.
4. Re:How does this change userland? by dveditz · 2009-06-29 16:45 · Score: 2
  
  The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.
  
  This mechanism isn't intended for users -- this is a tool for site authors, to cooperate with them in enforcing their policies. The site still has to make a best effort at implementing those policies themselves to protect all their visitors using browsers that don't support CSP (which includes every officially released version of Firefox to date). This is an extra layer of protection for users of CSP-compliant browsers, and a benefit to the site through the reporting function.
  Please do continue running NoScript if you like. CSP is a mechanism for site authors to declare their policy, add-ons like NoScript and AdBlock are tools for users to declare their policies.
5. Re:How does this change userland? by Zey · 2009-06-29 21:02 · Score: 2, Insightful
  
  And I know that fsdn.com is also a trusted site.
  Funnily enough, I know I don't want fsdn.com's content because the side bar is annoying bloatware that cripples the utility of the site. I'm very glad to have NoScript on the case, blocking it for me. (Which makes me wonder how many other horror websites there are out there whose horrible bloat I've been saved from by virtue of my browsers blocking XSS.)
Re:Good idea by NecroPuppy · 2009-06-29 10:18 · Score: 4, Insightful

First thoughts on that:
If I say that my site trusts domain1.com, but domain1.com isn't using this and ends up having all sorts of dodgy scripts they're passing along, would this block them, or would they count as coming from domain1.com?

--
I like you, Stuart. You're not like everyone else, here, at Slashdot.
Cost vs. Benefit? by spydabyte · 2009-06-29 10:22 · Score: 3, Interesting

If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'
The author gave the best reason for not implementing this.

The benefits of this, and other various security implementations, won't be seen until it's tested. The costs of testing? Way too high compared to the current cost of operation. This is a very hard proof-of-concept problem, and unless this is already built into development standards, I doubt any deployments would switch.
Which would you take, the option which delays production for a week, or the option to just hit "next"?
Article on this and related technologies by seifried · 2009-06-29 10:23 · Score: 2, Interesting

Shameless self plug: I wrote about this in my column: Web security - Protecting your site and your clients in September of 2008 and I'm VERY glad to see this is moving forwards as it means I (as a site owner) can actually do something to protect my site and my users against flaws in my site that is relatively easy and non-intrusive (that's the key!). The thing I really love about this is if your clients don't support site security policy, things still work, and if your browser supports it but the remote web site doesn't, things still work, but if both ends support it you get a nice added layer of protection. What would be really wild is if Microsoft added support for it, although "not invented here" they have been making efforts to protect users from XSS attacks in IE8 with mixed success, so who knows. You can do similar things with mod_security potentially and outgoing filters but it is nowhere near as simple as site security policy should be to deploy (hopefully).
1. Re:Article on this and related technologies by node+3 · 2009-06-29 11:40 · Score: 2, Informative
  
  If MS did this we'd all be crying about how this isn't sanctioned by W3C, and it's "embraceandextend" (tag?).
  Extinguish.
  It's Embrace, Extend, Extinguish. That last E makes all the difference in the world.
Headline: Google other ad publishers revenues drop by rescendent · 2009-06-29 10:31 · Score: 2, Interesting

Presumably the millions of adsense and publishers will have to enable their sites to maintain adverts..? Might hit google revs a bit...
The XSS FAQ by mrkitty · 2009-06-29 10:33 · Score: 2, Informative

The Cross-site Scripting (XSS) FAQ http://www.cgisecurity.com/xss-faq.html

--
Believe me, if I started murdering people, there would be none of you left.
This is great for Firefox users... by randomnote1 · 2009-06-29 10:34 · Score: 2, Interesting

What about IE, Chrome, Opera, and Safari users? As of now this solution only benefits a small portion of users. I don't see this being widely implemented at all.
1. Re:This is great for Firefox users... by hansamurai · 2009-06-29 10:58 · Score: 2, Insightful
  
  Well, if Firefox users find it effective, then other companies will follow suit. It's just a standard Mozilla is adopting, though it seems to have been defined in house, that won't stop anyone else from using it.
  
  --
  Reviewing just the first hour of video games.
NOT a standard by Curate · 2009-06-29 10:36 · Score: 3, Informative

The summary is wrong, this is NOT a standard in any way, or even a proposed standard. This is a proprietary security feature being introduced by Firefox. I'm not saying this is a bad thing (it's not), or that this won't eventually become a de facto standard (it might). But it is not a standard.
Standard? by pablodiazgutierrez · 2009-06-29 10:42 · Score: 2, Informative

More than a "Firefox standard", it seems to me that this is an extension. I'm all for it, but let's call things by their name.

--

To do list for Windows
RFC? by Midnight+Thunder · 2009-06-29 10:47 · Score: 3, Insightful

Is this 'standard' endorsed by anyone else or written up as part of an RFC? Calling something a standard when you are the only guys doing sounds like a certain company that was started by Bill and Paul.
I am not trying to troll here, since I am all for the solution, I am just ensuring that this properly documented and shared by the right entities (think W3C).

--
Jumpstart the tartan drive.
1. Re:RFC? by Midnight+Thunder · 2009-06-29 10:58 · Score: 2, Informative
  
  I should have the read the article first, since no where in the article do they mention the word 'standard'. When they do decide to make it happen I do hope the submit the proposal to the right organisations, as to avoid making this a one browser standard.
  
  --
  Jumpstart the tartan drive.
Re:Good idea by the_other_chewey · 2009-06-29 10:51 · Score: 5, Interesting

If I say that my site trusts domain1.com, but domain1.com isn't using this and ends up having all sorts of dodgy scripts they're passing along, would this block them, or would they count as coming from domain1.com?
Domain1 woudn't need to use this - this is a client-side security measure. If your site uses it and declares trusted third-parties, it's enough.
Also, what is "passing along" supposed to mean? Scripts (or any other stuff) would either come from domain1 or not. If not, it wouldn't be trusted.
If domain1 proxies scripts from other sources, this means they come from domain1, as far as HTTP is concerend - and they would be trusted.

The problem I see however is domain1 declaring additional trusted domains when delivering its scripts, thereby allowing for "cascaded domain trust", which
would pretty much defeat the new system. This can easily be prevented by not accepting additional trusted domains from elements that are third-party though.
Re:SPF for JavaScript by the_other_chewey · 2009-06-29 10:55 · Score: 2, Funny

I guess the other browsers will just ignore this unless of course they jump on board and implement it too.
Exactly. Also, it will rain tomorrow. Unless it doesn't.
Massive Overkill by butlerm · 2009-06-29 10:56 · Score: 2, Informative

This proposal looks like massive overkill to me. Implementing the restriction on inline script tags is equivalent to saying - our web developers are incompetent and naive and cannot be trusted to take basic security measures, so we feel making our web development practices more cumbersome and inefficient (if not impossible) is a healthy trade off.
A more effective program would be to develop and promote standardized html sanitization routines for popular web development languages, so that user entered html could easily be accepted under certain restrictions. Most web logs do this already.
Alternatively a less draconian solution would be to allow inline scripts to execute if the script tag includes a response specific serialization value that is also present in the HTTP headers. 64 bit values would make forging a inline script essentially impossible, because there would only be a 1/2^64 probability of a subsequent accidental match.
1. Re:Massive Overkill by arndawg · 2009-06-29 19:54 · Score: 2, Informative
  
  Hackers can just fire up a different browser, so the number of hackers this will stop are exactly ZERO.
  It's not about stopping hackers from running these scripts. It's to protect the users if a hacker have managed to insert a remote script via a form on the webpage. It protects users running firefox if the site have implemented the tag.
Re:Old Standard to Prevent All Attacks by jonbryce · 2009-06-29 10:59 · Score: 2, Informative

Don't depend on user-generated content, since it's shit. If your site can't provide it's own content, at least properly filter incoming user content down to plain ol' text.
I suggest you resign from Slashdot as soon as possible then ...
eBay and MySpace? by POWRSURG · 2009-06-29 11:18 · Score: 3, Insightful

CSP is effectively server-side NoScript. And it isn't exactly new either. This has been in development as a Firefox extension for at least a year. The article mentions it being first crafted back in 2005.
The issue I take with this article is that they suggest this feature could even possibly be integrated into eBay or MySpace. These two giants seem like the exact opposite type of market that would use this -- any site that allows users to post their own data is not going to possibly survive the wrath they would catch if users had to explicitly allow the domains they want scripts to run on. For a corporate Web site yes, but for something for the masses or those of us that run a CMS? I don't see that as happening anytime soon.
1. Re:eBay and MySpace? by kill-1 · 2009-06-29 15:28 · Score: 2, Informative
  
  Apparently, you have no idea what XSS means. Neither eBay or Myspace allow the execution of user-provided scripts for obvious reasons. Given the market share of Firefox, the big sites will implement CSP pretty soon.
Re:Old Standard to Prevent All Attacks by sexconker · 2009-06-29 11:31 · Score: 2, Interesting

Why is this modded troll?
99.99999% of attacks are the result of:
Malicious ads and clickthrough "offers" after a sale is processed
Vulnerabilities in PDF, Flash, etc.
Malicious content uploaded by users (javascript, sql injection, malformed jpegs, what have you)
Domain hijacking
General "LOL I GOT UR PASSWORD" shenanigans
Re:Use a file? by michaelhood · 2009-06-29 11:41 · Score: 2, Informative

Ugly, lots of over head...
And requires me to figure out the useragent of either every browser out there (to allow) or every bot out there (to deny). At least, as far as I can tell.
No, only "bots" (spiders, nowadays) actually check robots.txt, per the RFC. User-initiated requests don't/shouldn't (no browser I've ever seen) do not request/parse robots.txt.
Re:Managers by maxume · 2009-06-29 12:41 · Score: 2, Informative

It extends well beyond scripts into other content areas. It can be used to limit the domains that are allowed to serve images, css, and so on (this is all for a given page).

--
Nerd rage is the funniest rage.
Re:Old Standard to Prevent All Attacks by Runaway1956 · 2009-06-29 14:13 · Score: 2, Interesting

Sexconker is modded a troll - quite unfairly. Cross site scripting sucks. Simple as that. I go to a site, first thing I see is noscript's popup message that anywhere between 2 and 20 sites want to run scripts in my browser. I click the popup, to see WHO wants to run scripts. Sometimes, it's easy to see who wants to do what, and deciding to allow site a, but not site b is quite simple.
Often enough, it's just not that simple. I want to see some stupid flash presentation, and the only way to see it is to enable flash. Unfortunately, three different sites are offering a flash. Which one do I want? I choose one to be allowed, and I get rickrolled.
That is hamshite. Nothing more, and nothing less. The original site should be hosting it's own material, or they should supply the link to see the flash presentation. Cross site scripting is a ripoff that just helps to confuse the security conscious. And, God knows there are far to few users who are conscious. (I'd like to see a scientific poll that demonstrates just how many users really are brain dead - it has to be over 20%, and might be over 50%)

--
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Re:Good idea by LO0G · 2009-06-29 17:16 · Score: 2, Insightful

The other major problem with this solution is that it requires changes at the web site level.
In other words, you're only safe if the web site author opts into the security solution.
What are the chances that the hundreds of millions of web sites out there will all opt into this feature?
Re:XSS (Cross-Site Scripting) definition? by TheRaven64 · 2009-06-30 00:30 · Score: 3, Informative

My impression is that "Cross-Site Scripting" is an empty scare phrase that really just means "anything involving two different machines and a script -- whatever that may be".
Cross site scripting is exactly what it sounds like; running a script from one site in another site's security sandbox (i.e. scripting across sites). The script tag allows scripts to be loaded by a page from any site. These scripts then run in the same namespace and sandbox as any other scripts on that page. It's basically the web equivalent of an arbitrary code execution vulnerability. It isn't quite as bad as the client-side version, because there is (in theory) no way of escaping from the sandbox that the browser constructs from each site.
If you don't properly sanitise user-provided data then it's quite easy[1]. Imagine, for example, that Slashdot allowed arbitrary HTML. If it did then I could put a script tag in this post referring to a script in my domain. Your browser would then load this script and run it as if it were provided by Slashdot. If you enter your password, I could harvest it. Even if you don't, my script could send HTTP requests to Slashdot with your login credentials and post spam. If you've entered personal information in your user profile, I could harvest this.
You probably don't have any private information on Slashdot, so it's not a particularly attractive target for identity theft, but the large number of page views means that it might be useful for spam. Imagine, for example, a cross-site scripting vulnerability being used so that everyone with excellent karma who went to the Sony story posted something written by Sony PR.
For sites like eBay, it's much more important. These sites have full names, postal addresses, and often credit card numbers. If I can run a script in their pages' sandbox then I can access all of this information as the user enters it.
This idea is for each domain to provide a whitelist of domains that are allowed to provide scripts (or other resources). If I persuade eBay's code to load a script from my domain then FireFox can check my domain name against the list published by eBay, see that it is not there, and refuse to run the script.
[1] This isn't the only way of persuading a site to load your scripts, but it is the simplest to explain.

--
I am TheRaven on Soylent News
Re:Next step by Ant+P. · 2009-06-30 06:33 · Score: 2, Interesting

How about first getting the PHP developers to add a sane and logical way of sanitizing HTML.