The latest version of Mozilla's Firefox web browser, version 4, was released this week with a number of new security features, including a mechanism for preventing web-based attacks.
One of the new security features, called Content Security Policy (CSP), is enabled by default and designed to stop common web-based attacks, such as cross-site scripting (XSS) and data injection, by providing a mechanism for sites to explicitly tell the browser which content is legitimate, according to Mozilla.
CSP allows website administrators to reduce XSS vectors by specifying which domains the browser should consider valid sources of executable script. A CSP-compatible web browser will then only execute scripts loaded from approved domains.
Twitter on Tuesday announced that it has implemented CSP for its mobile site, mobile.twitter.com, and plans to deploy the security feature more extensively over the next few months.
“We expect Content Security Policy to be widely adopted very quickly,” Brandon Sterne, security program manager at Mozilla, wrote in a blog post Tuesday. “There are popular commercial websites like Twitter which are already using it, and there are CSP plugins for many of the popular content management systems like WordPress, Django and Drupal.”
The feature can also help mitigate so-called clickjacking and packet-sniffing attacks, Mozilla said.
The SANS Internet Strom Center, an all-volunteer cyberthreat intelligence website, is also testing CSP, Johannes Ullrich, chief research officer for the SANS Institute, told SCMagazineUS.com on Wednesday.
“I am excited about it,” Ullrich said. “It's probably the most meaningful protection we have in the browser at this point. Developers shouldn't become complacent and rely on that. You still need to prevent XSS in your website, but it does add an important layer to protect the user.”
Meanwhile, Firefox 4, downloaded 7.1 million times within 24 hours of being released, also includes a number of other security and privacy features, including a mechanism for automatically establishing secure connections with websites. The feature, called HTTP Strict-Transport-Security (HSTS), is designed to stop man-in-the-middle attacks by allowing sites to specify that they only wish to be accessed over HTTPS.
“If the ‘Strict-Transport-Security' header is set, the browser will refuse any attempt to connect to the site via HTTP,” Ullrich wrote in a blog post Wednesday. “The threat model here is that an attacker will inject a redirect to the HTTP version of the site while the user is browsing a non-HTTPS site. This could lead to the disclosure of confidential information like authentication cookies.”
The latest version of Firefox also includes a privacy feature that allows users to opt out of tracking used for behavioral advertising. In December, the Federal Trade Commission suggested browser manufacturers adopt such a capability as a means of safeguarding consumers' online activity.
If enabled, the feature transmits a "do-not-track" HTTP header to every web page that is visited in Firefox. A similar feature was included in the newly released Internet Explorer 9.
"I really like the do-not-track mechanism," Carole Theriault, senior security consultant at anti-virus firm Sophos, told SCMagazineUS.com on Wednesday. "It allows people who want to keep their browsing habits private to do just that, really simply."