Mozilla Aims At Reducing XSS Flaws Thanks To New Technology

Mozilla foundation has announced that it is working on a new technology that could help in tackling the gruesome threat of Cross-Site Scripting (XSS) attacks, which have been inflicting damages to websites since several years.

XSS flaws pave way for malicious codes to be injected into genuine websites, which users feel free to click, leading to tricking users to steal their crucial information.

In a bid to take on the soaring XSS attacks, Mozilla has come up with a new technology, codenamed as “Content Security Policy”, which aims at handling the attacks by enabling website administrators to set directives notifying about the trustworthy domains.

Along with the capability of handling XSS, CSP also tries to address packet sniffing as well as clickjacking attacks by pinning down directives for which domains can integrate resources and need https.

Asserting on the benefits of the new security tool, Brandon Sterne, Mozilla's security programme manager, said in a statement, “Because CSP can be configured to notify the protected site when an attack is blocked, CSP will even benefit users of older browsers, by helping sites and plug vulnerabilities quickly”.

The open source foundation claimed that CSP will be completely backward compatible, and won't affect browsers and websites which don't support it.

and join more than 1600 other followers.

Our Comments

Cross site scripting security vulnerabilities have become more and more frequent and accounted for around 80 percent of all documented security vulnerabilities in 2007. XSS is prevalent mainly because of the ease with which the attacks can be mounted as well as the prevalence of browsers.

Related Links

Mozilla tackles XSS vulnerabilities with new technology

(ZDNet)

Mozilla's new security policy

(Heise Online)

Security Fixes and Improvements

(Softpedia)

New Mozilla Spec Aims At Ending Cross-Site Scripting

(PC Mag)

Mozilla working to defend web against XSS attacks

(IT Pro)

Mozilla Content Security Policy takes aim at XSS

(Internet News)