Content Security Policy (CSP) - security

[Posts]

Firefox 4

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Enabling CSP is as easy as configuring your web server to return the X-Content-Security-Policy HTTP header.

Example of change required:

* User Agents MUST block:
o The contents of internal <script> nodes
o javascript: URIs, e.g. <a href="javascript:bad_stuff()"> (unless enabled by policy)
o Event-handling attributes, e.g. <a onclick="bad_stuff()">

* User Agents MUST NOT block:
o Scripts imported from external files whose sources are allowed by the protected document's policy AND are served with a Content-Type of application/javascript or application/json.

https://developer.mozilla.org/en/Introd ... ity_Policy
https://wiki.mozilla.org/Security/CSP/Specification
https://wiki.mozilla.org/Security/CSP/S ... strictions

phpMyAdmin
http://www.phpmyadmin.net/documentation/changelog.php
"+ [core] Include Content Security Policy HTTP headers."

MantisBT bugtracking
http://www.mantisbt.org/blog/?p=119
"As Firefox 4 has been pushed back to early 2011 we have more time to finish off the implementation of X-Content-Security-Policy within MantisBT."

[/a3]

Wow, that's cool...
/me adds headers to my own website straight away.

Hopefully other browsers might implement this as well.

[naderman]

Sounds like a good idea.

[Peppy]

But it's only available in Firefox? And what about other browsers? But it's seems to be good to implement at pages which has forms...

[/a3]

Yes, but phpBB also uses browser-specific code in the case of Internet Explorer (for attachments and avatars regarding IE's MIME sniffing, I believe).

Obviously this header would only be protecting against potential attacks, not attacks that are known at this time. However, quite a large number of people use Gecko-based browsers, and I think it would be worth it.