New Firefox Standard Aims to Combat Cross-Site Scripting 160
Al writes "The Mozilla foundation is to adopt a new standard to help web sites prevent cross site scripting attacks (XSS). The standard, called Content Security Policy, will let a website specify what Internet domains are allowed to host the scripts that run on its pages. This breaks with Web browsers' tradition of treating all scripts the same way by requiring that websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts. The Mozilla Foundation selected the implementation because it allows sites to choose whether to adopt the restrictions. 'The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites,' Brandon Sterne, security program manager for Mozilla, wrote on the Mozilla Security Blog. 'If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'"
Re:as an end user (Score:2, Funny)
As an end user I really hope that the sites I visit have a default policy of "we only serve up our own shit". ...
Fuck.
Re:SPF for JavaScript (Score:2, Funny)
I guess the other browsers will just ignore this unless of course they jump on board and implement it too.
Exactly. Also, it will rain tomorrow. Unless it doesn't.