Monday, October 5, 2009

Mozilla wants to bring more security in Firefox

The Mozilla Foundation is testing the integration of new technology to fight against attacks like XSS.

An attack of Cross-Site Scripting or XSS is to inject malicious code into a Web site to execute script (usually JavaScript) external to the page with the main objective of the flight data users. This code can be transmitted via an advertisement posted on the site, a comment left on a forum, an API ... The XSS vulnerabilities are most often due to errors in coding Web applications and can execute code in the browser and in the context of sites visited.

In the fight against XSS attacks, the Mozilla Foundation is developing a technology called Content Security Policy. This framework should enable Web sites to protect against XSS and related attacks. CSP allows developers to embed HTML headers in their sites so that the browser can determine which areas should be considered safe. A principle that is reminiscent of a white list where only authorized areas can be called as part of the execution of a script from a site.

Far from throwing stones at Web developers, Mozilla said it is difficult to supervise everything and filter everything a malicious user can upload a site, at a time when the Web is becoming more interactive . The last week, Mozilla is seeking comments on CSP, has expressed its implementation in trial versions specially concocted for Firefox (version 3.7). An implementation is not yet fully complete, while a demonstration page was posted.

The question is whether other browsers adopt CSP. Mozilla expects at least that CSP becomes an open standard through the W3C.

No comments: