Sweeping content security enhancements tested on Firefox 3.7
Initial development is nearly complete on an entirely new kind of Web browser code execution policy management system, which may yet become part of Firefox 3.7 (the point release following the next one in line), a Mozilla spokesperson informed Betanews. When implemented, browsers such as Firefox will be capable of restricting certain classes of embedded code from execution, and Web sites can advertise to browsers in advance which classes of code its pages contain.
The end result, the developers of Mozilla's Content Security Policy (CSP) hope, is that policy-enhanced browsers will be completely immune from cross-site scripting (XSS) attacks from malicious sources, by virtue of restricting themselves to either only executing inline code from trusted, certified sites, or not executing any such code at all.
"The main goal of Content Security Policy is to prevent malicious code from being injected into a Web site and executed within the context of that site," reads the most recent text of Mozilla's CSP specification. "Hence, a recurring theme in CSP is to prevent the creation of script code from potentially tainted strings. It should be made clear that it is not the intent of CSP to prevent navigation to arbitrary sites, but rather to restrict the types of script, media, and other resources that may be used on a Web page."
The wide implementation of CSP, though, will not be easy. First of all, Mozilla's intention is for CSP to be non-proprietary, but that doesn't mean other manufacturers are chomping at the bit to adopt it. Mozilla may need support from its own competitors, including Google, Apple, and Opera, for Web site developers to feel the impetus to include policy directives -- methods of telling browsers what classes of content it may include. Microsoft is certainly aware of CSP's development, but opted to steer clear of it for Internet Explorer 8; and IE9 is still probably years away.
In a public discussion last January that included Mozilla contributors working on the CSP spec, Microsoft IE program manager Eric Law stated that his team would not be interested in considering adoption of CSP until it was done. "The problem in targeting a moving spec is that if we ship something that isn't compatible with the future evolution of that spec, we're inevitably pilloried for hurting adoption of that spec." Defending Microsoft's use of a private technology called the XDomainRequest object, he added, "Until we're ready to support a stable CSP spec, we're surgically addressing this vector."
In the opinion of Mozilla security program manager Brandon Sterne, that's just fine with him: If CSP promotes a more secure, if more difficult, programming method, that may only mean sites are more protected from exploitation to begin with. And if developers get the loosely veiled message, then he hopes they'll simply take heed of it.
On Sterne's Mozilla blog yesterday, he posted a download link to a custom preview build of Firefox 3.7 "Minefield" with Content Security Policy included. He also posted a test page demonstrating how certain code samples can be effectively excluded using CSP, and how other browsers loading that test page let them right through.
Brandon Sterne's custom build of "Minefield" is not one of the daily preview builds of Firefox 3.7, so testers who download the latest private alpha build will notice that it, too, fails Sterne's CSP test. CSP has yet to be officially announced as a component of Firefox 3.7, or any future release.