Mozilla Tests More Secure Firefox
Versions of Firefox with enhanced cross-site scripting protection have been released for testing.
Mozilla on Wednesday posted preview builds of its Firefox browser with security enhancements designed to mitigate the risk of certain Web attacks.
In a blog post, Brandon Sterne, security program manager for Mozilla, asks security researchers and server administrators to help test the changes by downloading a build appropriate for their operating system.
The preview versions of Firefox implement a specification called Content Security Policy (CSP), which is designed to protect against cross site scripting (XSS) attacks.
CSP originally also addressed cross site request forgery (CSRF) attacks, but the anti-CSRF measures have been moved into a separate security specification called the Origin Header proposal.
XSS and CSRF attacks have been used for data theft, Web site defacement, and malware distribution. They're typically made possible by Web application coding errors.
In its specification, Mozilla acknowledges that the ideal solution would be creating Web applications without vulnerabilities. But real world security is a matter of layers so Mozilla feels justified in building a net to catch careless coding.
"It seems that while many sites are aware of these threats, and have programs in place to find and remediate the vulnerabilities, the sheer size and complexity of the Web sites make complete remediation of the security holes implausible," the specification document states. "Browser vendors can do more to protect users from client-side attacks involving Web sites that are vulnerable to [cross site scripting and similar attacks]."
CSP also offers protection against clickjacking and packet sniffing attacks.
The CSP implementation isn't yet complete. But Mozilla hopes that thorough testing will bring the development process to a close sooner.
InformationWeek has published an in-depth report on how predictive analytics, real-time monitoring, and the speed of in-memory technology are changing the value proposition of business intelligence. Download the report here (registration required).
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024