After a long wait and debate Mozilla Firefox 23 finally supports Content Security Policy 1.0 (CSP 1.0), a set of content restriction for a web page. Google Chrome and Internet Explorer 10 are already supporting CSP 1.0. Google Chrome added CSP earlier this year and Internet Explorer 10 still supports it partially.
Content Security Policy 1.0 provides a secure browsing experience to the users by preventing cross-site-scripting attacks. It also helps the website specifying the domains to execute the inline scripts thus preventing the XSS attacks. It also prevents the code injection attacks on the webpage by impeding the inline scripts embedded in an HTML page.
Ian Melven of Mozilla says, “In general, CSP allows web developers greater control over their content, helping mitigate several security problems. One major benefit of CSP is that, by default, it prevents inline scripts from executing. This greatly helps mitigate the threat of XSS (Cross Site Scripting) or other forms of script injection”.
However, Mozilla added a CSP in Firefox 4.0 in 2011, but it was not compliant of W3C specification. CSP 1.0 brings W3C based specification to Firefox.
The new CSP 1.0 includes many changes
- The Header has Been Unprefixed
- Changes to the Available Directives
- Changes to Default Behavior
- Changes to Allowing Inline Script and the Use of eval()
- Blocking Inline Styles
The basic idea of adding CSP 1.0 is block the unauthorized scripts on a webpage and preventing running code attacks and cross site scripting attacks. With the new CSP 1.0 you can whitelist the websites which you want to run the inline scripts and contents within a web page. No other website will then be able to run code on the webpage.
Users can now use Content Security Policy 1.0 in –
- Firefox- Firefox 23 and later versions
- Google Chrome- Chrome 25 and later versions
- Internet Explorer: IE 10 and later
You can check out the detailed analysis of the changes in implementations of new CSP 1.0 from the official blogspost by Mozilla.