News Mozilla demos CSP anti-XSS tech

http://www.bit-tech.net/news/bits/2009/10/05/mozilla-demos-csp-anti-xss-tech/1

The Mozilla Foundation has released a demonstration of its new Content Security Policy system, designed to prevent cross-site scripting attacks completely.

 

Another great, widely available technology from Mozilla. Good work!

 

I think this is a good approach to a very real problem and gives website owners/administrators a chance to further improve the security of their site and help preserve their reputation. Hopefully this is something that will also be adopted by all the open source CMS's out there to provide the less tech savvy with a bit more peace of mind.

 

I always thought XSS or 'code injections' (that are malicious and not just malware) were aimed at servers?

 

Why don't they just integrate the Noscript extension? this does solve XSS pretty well by blocking it completely.

 

I'm a big NoScript fan, and have been for ages.
But people like my dad don't have the patience to enable things on a site by site basis. A global solution would be good.

 

I know I should run noscript, but its a pita. I have it installed but I disabled it a while ago(on my mac not my pc). I only turn it on if the site I'm on looks sketchy. You couldn't convince most average computers users to deal with it I don't think, so as l3v1ck said, a global solution would be great.

Edit: now that I think about it, I think even though noscript is set to allow scripts globally, it still blocks cross scripting attempts, so it is doing some god for me.

 

Ah the irony of it all. Web browsers were supposed to replace the fat clients such as Outlook, Word, etc. And now with all these extensions the browser is just a piece of buggy bloatware slowing being re-inflated to fat client size. Re inventing the wheel.

 

cool.. saddle popper protector

 

Did you read this article?