Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Sites that rely on user-created content can unwittingly be employed to attack their own users via JavaScript and other common forms of Web code. This security issue, known as cross-site scripting (XSS), can, for example, allow an attacker to access a victim’s account and steal personal data.

Now the makers of the Firefox Web browser plan to adopt a strategy to help block the attacks. The technology, called Content Security Policy (CSP), will let a website’s owner specify what Internet domains are allowed to host the scripts that run on its pages.

“In this case, they are not creating a new technology alternative to HTML, nor protecting the user against an existing problem,” says Eduardo Vela, an independent security researcher who will talk about XSS attacks at next month’s Black Hat security conference, in Las Vegas. “They are actually removing the features in HTML that allowed these problems in the first place.”

XSS attacks have caused numerous headaches, particularly for social networks and Web 2.0 companies, allowing attackers to hijack eBay auctions, for example, and create a worm that caused MySpace users to automatically befriend a user named “Samy.” The core problem is that many sites allow untrusted users to add their own content to pages while Web browsers treat all content returned by a website as coming from the same entity. If the website is trusted, the content created by an unknown user is trusted as well. The issue has been counted as one of the 25 most serious coding problems by the SANS Institute, a training organization for system administrators and programmers.

In many cases, Web companies can hunt down and restrict dangerous user-created content. But because many sites are so big, finding and fixing all vulnerabilities is a time-consuming and difficult task. Moreover, many sites, notably social-networking ones, want to allow their users some leeway to create interesting content.

Mozilla’s CSP will break with Web browsers’ tradition of treating all scripts the same way. Instead, it will require that participating websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts.

The Mozilla Foundation, which makes the Firefox browser, selected the implementation because it allows sites to choose whether to adopt the restrictions. “The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites,” Brandon Sterne, security program manager for Mozilla, wrote on Mozilla Security Blog. “If the cost versus benefit doesn’t make sense for some site, they’re free to keep doing business as usual.”

1 comment. Share your thoughts »


Tagged: Web, security, software, Internet, Web, hacking, Firefox

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me