Mozilla working to defend web against XSS attacks

Mozilla is working on a new technology that it hopes will remove the threat of Cross-Site Scripting (XSS) attacks, which have plagued websites for several years.

XSS vulnerabilities allow malicious code to be injected into legitimate websites, which users are persuaded to click on leading to an attack such as a drive-by download.

This is made possible because currently all the content received from a web server's response is treated the same legitimate or malicious by the browser that requests it.

However, with Mozilla's new technology snappily named Content Security Policy' (CSP), the makers of Firefox aim to stop XSS by telling the browser which content is legitimate. The browser can then disregard the malicious code.

Brandon Sterne, security programme manager for Mozilla, said on the Mozilla security blog that the new model it was suggesting would be very different to the current unrestricted model for the web.

But Sterne said that CSP could be implemented in phases, that complex sites could be modified to support it, and that it could drive a stake through the heart of XSS.

"XSS vulnerabilities have real value to attackers and are shared rapidly across the web once discovered. Sites can breathe a little easier knowing their users are protected, even if a XSS bug slips through," he said.

"Because CSP can be configured to notify the protected site when an attack is blocked, CSP will even benefit users of older browsers, by helping sites and plug vulnerabilities quickly."

Sterne said that CSP was a collaboration of many individuals and had input from different websites, browser vendors and web application security experts.

Mozilla has already begun implementation of the CSP specification.

As recently as May, Google had to fix an XSS vulnerability that could have left its services open to attack.