Forums | MacLife
You are not logged in.
#1 2009-02-15 8:14 am
XSS protection
http://people.mozilla.org/~bsterne/cont … index.html
Other than an experimental add-on, it isn't yet implemented.
Basically in a nutshell what it does - it allows you to define (via header/metatag) what domains things like scripts, images, frames can come from in the context of your webpage.
Example - if I only want to allow those things from my domain, and for some pages I don't use any javascript at all, I can send the appropriate header telling the client about what scripts it can execute via this function:
Code:
<?php
function sendcspheader($usejs=0) {
if ($usejs == 1) {
header('X-Content-Security-Policy: allow self');
} else {
header('X-Content-Security-Policy: allow self; script-src none');
}
}
?>pages without JavaScript I just call it via sendcspheader(); pages with - sendcspheader(1);
That restricts sources for everything to my domain and further doesn't even allow javascript from my domain unless I send it the 1 argument.
The proposed specification even has the ability to send reports of blocked attempts to a form (via post) so that if something outside of the set security policy is tried and someone with a browser that supports this functionality views the page, you can see there was an attempt at a policy violation and either fix your policy or take care of the injected XSS (or whatever).
Anyway, it's not FireFox yet and I have no idea if it ever will be in Opera or IE - but hopefully it will be, and (once the specification is stable) hopefully web developers will actually use it.
Hopefully people running those creepy php based CMS apps that are known for vulnerability after vulnerability will send the header whether the app has been modified to use it or not.
Anyway, I thought I'd give the heads up, it's a rather cool proposal. Further examples of its use are found on the site I linked.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
