Mozilla

Content Security Policy 1.0 lands in Firefox Aurora

The information in this article is based on work together with Ian Melven, Kailas Patil and Tanvi Vyas.

We have just landed support for the Content Security Policy (CSP) 1.0
specification
in Firefox Aurora (Firefox 23), available as of tomorrow (May 30th). CSP is a security mechanism that aims to protect a website against content injection attacks by providing a whitelist of known-good domain names to accept JavaScript (and other content) from. CSP does this by sending a Content-Security-Policy header with the document it protects (yes, we lost the X prefix with the 1.0 version of the spec).

To effectively protect against XSS, a few JavaScript features have to be
disabled:

  • All inline JavaScript is disallowed. This means, that all the JavaScript code must be placed in a separate file that is linked via <script src=... >
  • All calls to functions which allow JavaScript code being executed from strings (e.g., eval) are disabled

CSP now more intuitive and consistent

While Firefox has had support for CSP since its invention here at Mozilla, things have been changing a lot. The streamlined development of a specification within the W3C has made the concept more intuitive and consistent. Most directives in a CSP header are now of a unified form which explicitly specifies the type of content you want to restrict:

  • img-src
  • object-src
  • script-src
  • style-src and so on.

Oh and if you feel like you must allow less secure JavaScript coding styles, you can add the values unsafe-inline or unsafe-eval to your list of script sources. (This used to be inline-script and eval-script before).

Start protecting your website by implementing CSP now!

But wait – isn’t that a bit tedious… Writing a complex policy and making sure that you remembered all the resources that your website requires? Don’t fret! Here comes UserCSP again!

Generate your Content Security Policies with UserCSP!

During the last few months, Kailas Patil, a student in our Security Mentorship Program has continued his GSoC work from last year to update UserCSP.

UserCSP is a Firefox add-on that helps web developers and security-minded users use CSP. Web developers can create a Content Security Policy (CSP) for their site by using UserCSP’s infer CSP feature. This feature can list required resource URLs and turn them into a policy ready to plug into a CSP header.

In addition, UserCSP is the first step to expose a policy enforcement mechanism directly to web users. Furthermore, users can enforce a stricter policy than a page supplies through the add-on or apply a policy to certain websites that don’t currently support CSP.

While earlier versions of UserCSP were more aligned to content security policies as originally invented at Mozilla, this version is updated to be in compliance with the CSP 1.0 specification. This means that policies derived with this add-on may work in all browsers as soon as they support the specification. Hooray!

As this evolves and ships, our MDN documentation on Content Security Policy (CSP) will keep on evolving, and we also plan to write more about this in the Mozilla Security Blog in the next few weeks, so stay tuned!

8 comments

Comments are now closed.

  1. Dmitry wrote on May 29th, 2013 at 18:32:

    Hello!
    I have nyan ideas about new open+free project.
    I not developer :( and cant make it, but other can (JS developing).
    Where can I show it to developers?

    1. Robert Nyman [Editor] wrote on May 29th, 2013 at 23:42:

      Try any forum online for web developers or entrepreneurs.

      1. Robert Nyman [Editor] wrote on May 30th, 2013 at 04:38:

        Dmitry,

        I saw you posting a number of comments with job description etc for this blog post. Please don’t do that, this place is for discussing this specific topic. You need to go out there and find general forums for web developers where you can discuss this.

  2. Dmitry wrote on May 30th, 2013 at 05:14:

    Mozilla community develoeprs have a own forum?

    1. Robert Nyman [Editor] wrote on May 30th, 2013 at 13:10:

      We have these mailing lists, but you should also check in other channels if you are looking for interested developers overall.

      1. Dmitry wrote on May 30th, 2013 at 14:34:

        Thank you I sent.

      2. Dmitry wrote on May 30th, 2013 at 15:21:

        Is being held until the list moderator can review it for approval.

        The reason it is being held:

        Post by non-member to a members-only list

        Either the message will get posted to the list, or you will receive
        notification of the moderator’s decision. If you would like to cancel
        this posting, please visit the following URL:

        :(

  3. Mathew Porter wrote on June 5th, 2013 at 11:58:

    Will keep an eye on this on MDN documentation on Content Security Policy page and have a look at testing, sounds like a great security tool

Comments are closed for this article.