Category: developers journal

Site Security Policy proposal

Author: seven June 12, 2008

Brandon Sterne from Mozilla recently published interesting proposal which could hopefully make web a bit safer place for regular Joe. Proposed Site Security Policy framework would allow sites to describe how content in their pages should behave. For instance you could filter valid sources of JavaScript on the page, request targets (preventing page content from making outbound communication to other sites) or valid request sources. Even log security alerts. Current proof-of-concept Firefox extension only handles policy defined trough HTTP headers. That could potentially bring more traffic on high load sites, than for example crossdomain.xml which Flash loads from so call "well known location" (like favicon.ico or robots.txt) and which can be cached.

This is by no means ultimate protection, or server protection of any kind. It still can be avoided by malicious users but it could potentially bring an thin layer (but still a layer) of user protection against Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks.

Idea is everything but new. Five years ago, Flash Player 7 introduced policy files used for cross-domain data loading access control (crossdomain.xml). Current Flash Player 9 went even further in new functionality introducing stuff like meta-policies and so on.

Join the discussion on mozilla.dev.security.

Author
seven
CEO/CTO at Nivas®
Neven Jacmenović has been passionately involved with computers since late 80s, the age of Atari and Commodore Amiga. As one of internet industry pioneers in Croatia, since 90s, he has been involved in making of many award winning, innovative and successful online project. He is experienced full stack web developer, analyst and system engineer. In his spare time, Neven is transforming retro-futuristic passion into various golang, Adobe Flash and JavaScript/WebGL projects.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>