Firefox Aims to Unplug Scripting Attacks:How websites can block code from unknown sources.
Sites that rely on user-created content can unwittingly be employed to attack their own users via JavaScript and other common forms of Web code. This security issue, known as cross-site scripting (XSS), can, for example, allow an attacker to access a victim’s account and steal personal data.now the makers of the Firefox Web browser plan to adopt a strategy to help block the attacks. The technology, called Content Security Policy (CSP), will let a website’s owner specify what Internet domains are allowed to host the scripts that run on its pages.”In this case, they are not creating a new technology alternative to HTML, nor protecting the user against an existing problem,” says Eduardo Vela, an independent security researcher who will talk about XSS attacks at next month’s Black Hat security conference, in Las Vegas. “They are actually removing the features in HTML that allowed these problems in the first place.”XSS attacks have caused numerous headaches, particularly for social networks and Web 2.0 […]