Content Security Policy 1.0 lands in Firefox Aurora

The information in this article is based on work together with Ian Melven, Kailas Patil and Tanvi Vyas.

We have just landed support for the Content Security Policy (CSP) 1.0
specification
in Firefox Aurora (Firefox 23), available as of tomorrow (May 30th). CSP is a security mechanism that aims to protect a website against content injection attacks by providing a whitelist of known-good domain names to accept JavaScript (and other content) from. CSP does this by sending a Content-Security-Policy header with the document it protects (yes, we lost the X prefix with the 1.0 version of the spec).

To effectively protect against XSS, a few JavaScript features have to be
disabled:

  • All inline JavaScript is disallowed. This means, that all the JavaScript code must be placed in a separate file that is linked via <script src=... >
  • All calls to functions which allow JavaScript code being executed from strings (e.g., eval) are disabled

CSP now more intuitive and consistent

While Firefox has had support for CSP since its invention here at Mozilla, things have been changing a lot. The streamlined development of a specification within the W3C has made the concept more intuitive and consistent. Most directives in a CSP header are now of a unified form which explicitly specifies the type of content you want to restrict:

  • img-src
  • object-src
  • script-src
  • style-src and so on.

Oh and if you feel like you must allow less secure JavaScript coding styles, you can add the values unsafe-inline or unsafe-eval to your list of script sources. (This used to be inline-script and eval-script before).

Start protecting your website by implementing CSP now!

But wait – isn’t that a bit tedious… Writing a complex policy and making sure that you remembered all the resources that your website requires? Don’t fret! Here comes UserCSP again!

Generate your Content Security Policies with UserCSP!

During the last few months, Kailas Patil, a student in our Security Mentorship Program has continued his GSoC work from last year to update UserCSP.

UserCSP is a Firefox add-on that helps web developers and security-minded users use CSP. Web developers can create a Content Security Policy (CSP) for their site by using UserCSP’s infer CSP feature. This feature can list required resource URLs and turn them into a policy ready to plug into a CSP header.

In addition, UserCSP is the first step to expose a policy enforcement mechanism directly to web users. Furthermore, users can enforce a stricter policy than a page supplies through the add-on or apply a policy to certain websites that don’t currently support CSP.

While earlier versions of UserCSP were more aligned to content security policies as originally invented at Mozilla, this version is updated to be in compliance with the CSP 1.0 specification. This means that policies derived with this add-on may work in all browsers as soon as they support the specification. Hooray!

As this evolves and ships, our MDN documentation on Content Security Policy (CSP) will keep on evolving, and we also plan to write more about this in the Mozilla Security Blog in the next few weeks, so stay tuned!

About Frederik Braun

Frederik is a Security Engineer at Mozilla. His day job involves looking for security bugs in Mozilla products and related web properties. Frederik is passionate about all computer security topics. Beside his professional involvement in security, he also enjoys playing CTFs with his former fellow-students from FluxFingers.

More articles by Frederik Braun…

About Robert Nyman [Editor emeritus]

Technical Evangelist & Editor of Mozilla Hacks. Gives talks & blogs about HTML5, JavaScript & the Open Web. Robert is a strong believer in HTML5 and the Open Web and has been working since 1999 with Front End development for the web - in Sweden and in New York City. He regularly also blogs at http://robertnyman.com and loves to travel and meet people.

More articles by Robert Nyman [Editor emeritus]…


8 comments

  1. Dmitry

    Hello!
    I have nyan ideas about new open+free project.
    I not developer :( and cant make it, but other can (JS developing).
    Where can I show it to developers?

    May 29th, 2013 at 18:32

    1. Robert Nyman [Editor]

      Try any forum online for web developers or entrepreneurs.

      May 29th, 2013 at 23:42

      1. Robert Nyman [Editor]

        Dmitry,

        I saw you posting a number of comments with job description etc for this blog post. Please don’t do that, this place is for discussing this specific topic. You need to go out there and find general forums for web developers where you can discuss this.

        May 30th, 2013 at 04:38

  2. Dmitry

    Mozilla community develoeprs have a own forum?

    May 30th, 2013 at 05:14

    1. Robert Nyman [Editor]

      We have these mailing lists, but you should also check in other channels if you are looking for interested developers overall.

      May 30th, 2013 at 13:10

      1. Dmitry

        Thank you I sent.

        May 30th, 2013 at 14:34

      2. Dmitry

        Is being held until the list moderator can review it for approval.

        The reason it is being held:

        Post by non-member to a members-only list

        Either the message will get posted to the list, or you will receive
        notification of the moderator’s decision. If you would like to cancel
        this posting, please visit the following URL:

        :(

        May 30th, 2013 at 15:21

  3. Mathew Porter

    Will keep an eye on this on MDN documentation on Content Security Policy page and have a look at testing, sounds like a great security tool

    June 5th, 2013 at 11:58

Comments are closed for this article.