Versions of Firefox with enhanced cross-site scripting protection have been released for testing.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 1, 2009

2 Min Read

Mozilla on Wednesday posted preview builds of its Firefox browser with security enhancements designed to mitigate the risk of certain Web attacks.

In a blog post, Brandon Sterne, security program manager for Mozilla, asks security researchers and server administrators to help test the changes by downloading a build appropriate for their operating system.

The preview versions of Firefox implement a specification called Content Security Policy (CSP), which is designed to protect against cross site scripting (XSS) attacks.

CSP originally also addressed cross site request forgery (CSRF) attacks, but the anti-CSRF measures have been moved into a separate security specification called the Origin Header proposal.

XSS and CSRF attacks have been used for data theft, Web site defacement, and malware distribution. They're typically made possible by Web application coding errors.

In its specification, Mozilla acknowledges that the ideal solution would be creating Web applications without vulnerabilities. But real world security is a matter of layers so Mozilla feels justified in building a net to catch careless coding.

"It seems that while many sites are aware of these threats, and have programs in place to find and remediate the vulnerabilities, the sheer size and complexity of the Web sites make complete remediation of the security holes implausible," the specification document states. "Browser vendors can do more to protect users from client-side attacks involving Web sites that are vulnerable to [cross site scripting and similar attacks]."

CSP also offers protection against clickjacking and packet sniffing attacks.

The CSP implementation isn't yet complete. But Mozilla hopes that thorough testing will bring the development process to a close sooner.


InformationWeek has published an in-depth report on how predictive analytics, real-time monitoring, and the speed of in-memory technology are changing the value proposition of business intelligence. Download the report here (registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights