XSS game changer

Date June 19, 2009

Thanks to Jeremiah Grossman (via twitter), I found this post on the Mozilla blog.

Shutting Down XSS with Content Security Policy

A Jeremiah says, this is a game changer in the realm of XSS.  By making some small modifications to how you use JavaScript in your site (putting it all in an external file served by an approved host), the Firefox browser should be able to know what scripts it “trusts” (because it came from somewhere it knows and should be part of the page) from “malicious” (ones that are not part of the legitimate site because they have been injected somehow).

What’s going to interest me is how this is enabled.  The browser has to understand to apply this policy and there’s going to have to be some “opt-in” from the site that’s in the HTML received from the browser, some header, or some file that’s loaded in.  Unless we’re all going to use HTTPS (which we know has it’s own issues of adoption), then what is stopping someone from MITM’ing and forcing an “opt-out” so the browser does not apply the protection leaving the site vulnerable.  It’s a small vulnerability that’s immediately obvious before there’s any sites to start looking at – I’m sure there’s going to be other ways of either removing the header or making the policy not load (and/or enforce) correctly once we start looking at this technology in earnest.

As they say though, the devil is in the details, so the implementation of this is what is going to be important.  The cross-domain policy and protections in current browsers are a similar strategy, but we still see flaws and attacks against that.  I guess we’ll be seeing new research breaking the XSS content security policy as it gets out there, but props to Mozilla though as it’s certainly going to raise the bar.  If we can raise the bar height enough that only Olympic-standard athletes can make it over, leaving all the script-kiddies behind, then that can only be a good thing.

I’m not too worried about any of the initial issues (and there’s sure to be some) as over time I would hope to see this technology get better and more widely adopted which very may well spell the end of a very large part of the XSS problems out there. 

Category Posted in Security


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>