Mozilla Experiments With Site Security Policy 68
An anonymous reader writes "Mozilla has opened comments for an new experimental browser security policy, dubbed Site Security Policy (SSP), designed to protect against XSS, CSRF, and malware-laced IFRAME attacks which infected over 1.5 million pages Web earlier this year. Security experts and developers are excited because SSP extends control over Web 2.0 applications that allow users to upload/include potentially harmful HTML/JavaScript such as on iGoogle, eBay Auction Listings, Roxer Pages, Windows Live, MySpace / Facebook Widgets, and so on. Banner ads from CDNs have had similar problems with JavaScript malware on social networks. The prototype Firefox SSP add-on aims to provide website owners with granular control over what the third-party content they include is allowed to do and where its supposed to originate. No word if Internet Explorer or Opera will support the initiative."
Good news for Phorm victims? (Score:3, Interesting)
FF3 'Killer App' ? (Score:3, Interesting)
Re:Why not just include NoScript by default? (Score:2, Interesting)
SSP would be great considering the huge amount of attacks....from google, to microsoft, etc. Which have been successful.
The only problem with SSP is if microsoft doesn't implement it it will be shot down because IE has 60+% market share. Without IE it would be useless because you can't put the work to protect less than half of your users but the rest that use IE will need some other form of protection.
It could skew already complicated cross-browser development.
Let's just hope microsoft doesn't make their browser even less standards compliant...although I did hear that IE8 scored high on the acid2 test. Guess they are making some headway.
Re:Maybe OT... probably not (Score:3, Interesting)
My father in law had a keyfob lcd thing to which his employer would send him passwords when he wanted to use his takehome work laptop. When he turned it on, it sent a signal to the home base, and the keyfob would show a number. He used this number to log in. This way, if the laptop got stolen, it was effectively worthless.
Is this what you're talking about?
1. I go to login to my bank account.
2. The bank server sends a text message to my phone with a one time key/password.
3. I enter the password/key, so the bank has a better idea that I am who I say I am.
Or...
1. ID theif uses my login info to try to get into my online account.
2. The bank server sends a text message to my phone with a one time key/password.
3. I'm not logging in at the moment, so I call the bank to check in, etc. Interesting.
Re:Why not just include NoScript by default? (Score:2, Interesting)
Re:But why trust site administrators? (Score:3, Interesting)
Currently the options for limiting the scope of JavaScript are:
1. Turn JS off
2. Prevent certain files from loads (i.e.
This does not interfere with either of those, and adds:
3. Allow site administrators explicitly list allowed scripts/domains and block all others.
You can still turn off JS, and you can still prevent certain files from loads. If you came up with some other system to let users decide what JS to run or not (like NoScript), that would still work too. This isn't a system to override your personal settings and force scripts to run, it's just another layer of protection applied before your personal settings, and to help people that can't or don't take the kind of additional protection steps you do.