Categories: Firefox Security

A Glimpse Into the Future of Browser Security

As we mentioned earlier we’ve been working for the past few months on turning the Content Security Policy specification into working Firefox code. (You’ll remember that CSP is a framework to protect websites from XSS and related attacks). We are happy to report that the work is nearly finished, and we have some preview builds available for you to try out.

We’re thrilled to have received so much great feedback from other browser vendors, web site administrators, and security researchers and we’re very proud of the design that has come out of that discussion. We would like to encourage any server administrators or web app security researchers who are interested in this project to grab a preview Firefox build and help us test the new features. Please be aware that there are still a few rough spots. The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec. Most notably, HTTP redirects are not fully handled by CSP (but will be soon).

I posted a demo page where you can see the basic features of CSP in action, though we’re all much more excited to see all the tests and proof points our friends in the security research community are sure to turn up. Please grab a preview build and start testing!

Brandon Sterne
Security Program Manager

11 comments on “A Glimpse Into the Future of Browser Security”

  1. Pento wrote on

    Ok, let’s test it! =)

  2. Julian Reschke wrote on

    It appears CSP allows multiple header instances, but fails to use the single syntax allowed for that (see : “Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)].”

  3. home computer wrote on

    XSS protection ok but not enough. We want a really secure browser (which Firefox is NOT by far) that is able -without add-ons- to also block on demand:
    cookies (Opera has it)
    referrers (Opera has it)
    javascript (Opera has it)
    flash (Opera has it, Plugins off)

    external active content (firewall)
    hidden frames (firewall)
    webbugs (firewall, pixel webbugs)
    XXS protect (firewall)
    add-servers, most Google shit (firewall)
    modified Hosts file

    and the possibility to choose our own search engine and not the ones that have been pre-choosen by Mozilla (i.e. Scroogle in stead of that
    intrusive Google shit, which is the biggest thread to privacy ever !)
    Mozilla sold out to Google, i never will.

    Until that day arrives I will stay with Opera (10) (and never ever use Firefox) combined with webcontrol by a third party firewall.

    Still a long way to go for Firefox intill it will be a secure browser.

  4. Daniel Veditz wrote on

    @home computer:

    We never said XSS protection was “enough”, but we can’t talk about everything all the time. In this post we’re talking about Content Security Policy. CSP has a different focus from the features you mention, which are about how a web surfer can customize their experience. CSP is focused on letting site authors declare the expected content of each page so the browser can help prevent unintended content from being injected.

    Apart from CSP, plain vanilla Firefox can block cookies and images per site, and on a global basis you can disable JavaScript and Flash (and/or other plugins). You can also disable the Referer header but that requires twiddling an “about:config” settings. The average web surfer does not use those features, but yeah, if you’re in the power-user minority that needs more than that then you have to install an add-on to get the full per-site flexibility Opera has ‘out of the box’.

    I don’t understand your complaint about the search engine choice. Like Opera we default to a Google search. Like Opera there’s a drop-down that lets you switch engines with a handful of preinstalled choices (a lot of the same choices, like Yahoo, Wikipedia, Amazon, eBay, Answers.com). Like Opera you can add more. We even provide a link to our addons site where we have hundreds of choices. And you can right-click on any search form in any page, anywhere to create a keyword search you can later access from the URL bar at any time

    But really, if you prefer Opera that’s fine by us. A Firefox monopoly would be a failure of our mission to bring choice and innovation to the internet.

  5. Andrew wrote on

    Hi.

    If a site has been compromised won’t the attacker just add their dodgy domain to the list of domains that are okay? So you could go to Google but also download the dodgy iFrame at the same time cause the modified CSP would say it is okay? I am trying to understand how the new protection would actually make me safer on the web.

  6. Johnathan Nightingale wrote on

    @Andrew – typically the way sites are exploited in an XSS attack is that some facet of the site allows users to add content to the page (a comment box on a blog, a review box on a shopping site, &c) and the attacker includes malicious content in their submission. CSP is delivered as a header, and points to a standalone policy file – neither of which are part of the web page itself, so an attacker is unlikely to be able to change them unless that attacker has full control of the server itself, in which case no client-based defense will be sufficient.

  7. Daniel Veditz wrote on

    You’re right: if the server itself is compromised all bets are off. XSS attacks, however, inject content into a web application without actually compromising the underlying server configuration. CSP does nothing to help a site secure its network or machines, but it does provide a back-stop to catch programming bugs in the web application layer.

  8. rvdh wrote on

    @home computer

    As much as I prefer Opera as my main browser, I think you are somewhat disappointed by Firefox, for reasons I might understand. However, that isn’t a valid argument against the folks who are trying to implement a security policy -we (or almost) all- we’re waiting for. Content restriction is a serious and -by far- underrated issue that had to be addressed at some point. The day of the “happy open web” is over, it has become a landscape of marketeers and mostly profit making folks who aren’t interested in your well-being. The news hat Mozilla is taking the torch of content restriction is a good sign, and we should encourage that instead of radiating our personal opinions of Mozilla -or- Firefox. I know very well that hundreds of developers spent countless hours on Firefox, giving their free time to make a change on the web. Albeit, some choices of Mozilla will affect & influence security of the browser (like plugin support), one must not forget that you do have the ability to modify/adjust Firefox to your needs, the choice is given to you, whereas many other browser vendors limit this very freedom.

  9. Mike wrote on

    This sounds like a recipe for yet more governance bloat on the web.. if you want a secure environment for your users then secure your applications properly so that these kind of mechanisms are not necessary.

    Browsers are already bloated, this is just adding to the problem and creating a patched solution for the underlying problem: web developers don’t use adequate tooling to prevent serving their users threatening content.

    This is not a sensible solution.

  10. Geld Lenen wrote on

    As rvdh states, the web has become a landscape for profit making folks. I read an article that a distributor of scare-ware earned 3 times the amount that Obama makes 😮

  11. Tom T. wrote on

    @ home computer:
    “and the possibility to choose our own search engine and not the ones that have been pre-choosen by Mozilla (i.e. Scroogle ”

    Or you can just do what I did: Delete all search engines from FX and bookmark Scroogle. Two clicks to search. End of problem. If you can’t manage the two clicks, there was code somewhere about how to add Scroogle or anything else to your search engine list. Search the MZ instructions.

    [off-topic political commentary deleted –dveditz]