Skip to Content

Firefox Aims to Unplug Scripting Attacks

How websites can block code from unknown sources.
June 29, 2009

Sites that rely on user-created content can unwittingly be employed to attack their own users via JavaScript and other common forms of Web code. This security issue, known as cross-site scripting (XSS), can, for example, allow an attacker to access a victim’s account and steal personal data.

Patsy attack: An attacker (shown in red) can use cross-site scripting to force a user’s computer (left) to attack another system (middle), just by visiting a seemingly innocent website (top).

Now the makers of the Firefox Web browser plan to adopt a strategy to help block the attacks. The technology, called Content Security Policy (CSP), will let a website’s owner specify what Internet domains are allowed to host the scripts that run on its pages.

“In this case, they are not creating a new technology alternative to HTML, nor protecting the user against an existing problem,” says Eduardo Vela, an independent security researcher who will talk about XSS attacks at next month’s Black Hat security conference, in Las Vegas. “They are actually removing the features in HTML that allowed these problems in the first place.”

XSS attacks have caused numerous headaches, particularly for social networks and Web 2.0 companies, allowing attackers to hijack eBay auctions, for example, and create a worm that caused MySpace users to automatically befriend a user named “Samy.” The core problem is that many sites allow untrusted users to add their own content to pages while Web browsers treat all content returned by a website as coming from the same entity. If the website is trusted, the content created by an unknown user is trusted as well. The issue has been counted as one of the 25 most serious coding problems by the SANS Institute, a training organization for system administrators and programmers.

In many cases, Web companies can hunt down and restrict dangerous user-created content. But because many sites are so big, finding and fixing all vulnerabilities is a time-consuming and difficult task. Moreover, many sites, notably social-networking ones, want to allow their users some leeway to create interesting content.

Mozilla’s CSP will break with Web browsers’ tradition of treating all scripts the same way. Instead, it will require that participating websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts.

The Mozilla Foundation, which makes the Firefox browser, selected the implementation because it allows sites to choose whether to adopt the restrictions. “The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites,” Brandon Sterne, security program manager for Mozilla, wrote on Mozilla Security Blog. “If the cost versus benefit doesn’t make sense for some site, they’re free to keep doing business as usual.”

The new security measure is based on suggestions made by Web-security specialist Robert Hansen back in 2005. The researcher had been studying different types of Web attacks and had identified an interesting idea: allowing websites to change the security level of the user’s browser.

Hansen turned the idea on its head and, instead, came up with a model that he called Content Restrictions. “The model shouldn’t be, if you trust me, disable all the security; the model should be, trust me to tell you not to trust me,” says Hansen, who is now CEO of Web security consultancy SecTheory. “If I know a page is bad, then I should be able to tell you that the page is bad.”

An engineer at the Mozilla Foundation, Gervase Markham, championed the idea within the Firefox team and further developed the technology, and noted Web security researcher Jeremiah Grossman publicly called for adoption of the technique. Four years later, Mozilla has committed to implementing the technology.

The new Firefox security feature could help block another form of attack, known as clickjacking, which allows an attacker to trick a user into clicking an unsafe button–for example, initiating a bank transfer when she believes that she is sending an e-mail. However, clickjacking is a problem so pervasive that an opt-in model really doesn’t work, says Hansen.

Not everyone agrees that such Content Restrictions is the way to go. Microsoft has created a cross-site scripting filter in Internet Explorer 8 that blocks probable attacks from reaching the victim’s browser. The company has also introduced a new feature, called X-FRAME-OPTIONS, in Internet Explorer 8, which can be enlisted by sites to restrict the use of scripts in iframes–a trick employed by attackers to run code invisibly.

Such efforts, and the difficulty of incorporating CSP into the software giant’s Web architecture, .NET, makes it likely that Mozilla’s CSP won’t be adopted by other browser makers, argues Vela, who plans to present his own solution at Black Hat. “I sincerely don’t think it’s going to be largely adopted,” he says, “mostly because it’s so complicated.”

Mozilla, which declined to comment beyond the blog posting, will likely have the technology ready to incorporate into Firefox in 6 to 12 months, says Hansen. “The next step is to get eBay and MySpace to pick it up and say, ‘Hey, this is great,’” the researcher says.

Keep Reading

Most Popular

How scientists traced a mysterious covid case back to six toilets

When wastewater surveillance turns into a hunt for a single infected individual, the ethics get tricky.

It’s time to retire the term “user”

The proliferation of AI means we need a new word.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

Sam Altman says helpful agents are poised to become AI’s killer function

Open AI’s CEO says we won’t need new hardware or lots more training data to get there.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.