Mozilla on Wednesday posted preview builds of its Firefox browser with security enhancements designed to mitigate the risk of certain Web attacks.
In a blog post, Brandon Sterne, security program manager for Mozilla, asks security researchers and server administrators to help test the changes by downloading a build appropriate for their operating system.
The preview versions of Firefox implement a specification called Content Security Policy (CSP), which is designed to protect against cross site scripting (XSS) attacks.
CSP originally also addressed cross site request forgery (CSRF) attacks, but the anti-CSRF measures have been moved into a separate security specification called the Origin Header proposal.
XSS and CSRF attacks have been used for data theft, Web site defacement, and malware distribution. They're typically made possible by Web application coding errors.
In its specification, Mozilla acknowledges that the ideal solution would be creating Web applications without vulnerabilities. But real world security is a matter of layers so Mozilla feels justified in building a net to catch careless coding.
"It seems that while many sites are aware of these threats, and have programs in place to find and remediate the vulnerabilities, the sheer size and complexity of the Web sites make complete remediation of the security holes implausible," the specification document states. "Browser vendors can do more to protect users from client-side attacks involving Web sites that are vulnerable to [cross site scripting and similar attacks]."
CSP also offers protection against clickjacking and packet sniffing attacks.
The CSP implementation isn't yet complete. But Mozilla hopes that thorough testing will bring the development process to a close sooner.
InformationWeek has published an in-depth report on how predictive analytics, real-time monitoring, and the speed of in-memory technology are changing the value proposition of business intelligence. Download the report here (registration required).