Shutting Down XSS with Content Security Policy
Sid Stamm, Mozilla
The last 3 years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 saw dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc. While an ideal solution may be to develop web applications free from any exploitable vulnerabilities, real world security is usually provided in layers. "We present Content Security Policy (CSP), which intends to be one such layer. CSP is a content restrictions policy language and enforcement system that allows site designers or server administrators specify how content interacts on their web sites. We also discuss the long road traveled to a useful policy definition and lessons learned along the way to an implementation in Firefox.