Hi malware fighters,

The last 3 years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 has seen dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.

CSP is a new policy introduced inside the Fx and Flock browser to get accustomed to the idea and a proof-of-concept…
To read more about this initiative:
http://people.mozilla.org/~bsterne/content-security-policy/index.html

To download and install into your browser: http://people.mozilla.org/~bsterne/content-security-policy/content-security-policy.xpi
or rather and safely so: https://addons.mozilla.org/nl/firefox/addon/7478

You can toggle the add-on off and on where it sits in the browser and Content Security Policy will be fully backward compatible and will not affect sites or browsers which don’t support it. Non-supporting browsers will disregard the Content Security Policy header and will default to the standard Same-Origin policy for webpage content. Another discussion on CSP here:
http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html

I have it now installed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090202 Minefield/3.2a1pre ID:20090202033956 (enforced it with Nightly Tester Tools),

OK and keep NoScript installed, this is not a replacement for that Cop inside your Browser…
and here is another view and proposal for this problem:
http://www.cgisecurity.com/2007/11/browser-securit.html

polonus