True web security from Javascript injections ?

Posted on April 15, 2011 by BorisDinkevich

With the coming of FireFox 4, a new (and wildly unnoticed) feature was added to the browser:
CSP – Content Security Policy.

The idea behind the CSP, was to try to mitigate many of attacks and abuses we have been seeing on the web in recent years. From Click hijackings, unexpected cross-site-scripting, injections by corporate / country or internet provider routers and many more.

How does it work ?

When serving a web page, the server can now specify to the browser, exactly where data can come from and where it can go.The policy can show which JavaScript files can run (and from which domains), where XHR request can be made and even where static resources (like pictures) can be loaded from.

To be exact a new HTTP header is added by the web server:

X-Content-Security-Policy: policy

The browser (currently only FF4) parses the rules and prevent the page from doing anything unauthorized.

For example:

X-Content-Security-Policy: allow ‘self’; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

(More examples here)

A small test

One useful feature of CSP, is its ability to report violations. With the help of RoR and Redis, here is a little site, where you can check if any unexpected scripts are being injected to your plain HTTP pages:

Test your connection for JS injections

Read more about CSP

This entry was posted in technology. Bookmark the permalink.

One Response to True web security from Javascript injections ?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>