Firefox at long last gets protection against clickjacking...

Hi malware fighters.

The users of Fx with the NoScript extension already had this and a better protection even, but now it will arrive for Firefox as by default: Firefox from now on has now protection against clickjacking, re: http://michael-coates.blogspot.com/2010/08/x-frame-option-support-in-firefox.html. X-frame options will be supported as from version 3.6.9.

The developer of noScript, Giorgi Maone warns for the fact that x-fame-options does not fully protects against all forms of Clickjacking. Where frame-based API’s, external apps support and widgets are concerned it is hard to configure this protection. Mainly Facebook is meant here, which in the past came under various Clickjacking-attacks.

According to Maone the Content Security Policy (CSP) in Firefox 4 will make that website developers can protect their websites against mentioned and other security problems in webapps, even in complex scenario’s. Firefox 3.6.9 is planned to be launched on Sept. 7th. Download Content Security Policy for your Mozilla browser from here: http://people.mozilla.org/~bsterne/content-security-policy/content-security-policy.xpi and install. The more browsers and servers alike implement it the more secure the Internet will get. You will see the green rimmed CSP down in the browser when it is active else toggle on/off by clicking it…

polonus

Is there anything that gives information as to what changes to content security policy are made/provided by this add-on ?

Hi DavidR,

Here you can read how they plan to introduce this gradulally and hope many hop onto this bandwagon: https://wiki.mozilla.org/Security/CSP
When a server runs CSP the browser with the extension will abide by these rules, well if you have NoScript installed this protection is additional anyway, but I have it installed as it is expected to be introduced as a cross browser - website server protection mode, read what I posted here (as luntrus) on CSP: http://forums.informaction.com/viewtopic.php?f=19&t=1720

pol

Thanks Pol.

Interesting, this will be something like Firefox Sync & Xmarks, I think FS will replace Xmarks.

I sure like the ASP’s HomoXSSuality protection in NoScript :stuck_out_tongue:

Correct me if I’m wrong. You already have NoScript, RequestPolicy, and Firekeeper in your Firefox. Now you added Content Security Policy. Isn’t it too much?

As for me, I almost completely realize what NoScript and RequestPolicy do to protect my PC and I have them in my Firefox. I can’t realize what Firekeeper is really necessary for and I feel uncertain if I should install it. And now you advise to install one more security extension. Is it really a “must-have”? Could you explain it in plain English?

Czesc George Yves,

You need not install CSP, it is coming into the browser anyway as by default and will be part of Fx 4.0.
With NoScript and RequestPolicy and when you know how to use these two extensions you are fully and utterly protected from all browser-sides.
I use Firekeeper only because i wanna test XSS requests, so that is a completely optional IDS extension and it has an additional malware list incorporated, but you could run a similar one with ABP+.
Other extensions I have in Flock are just because I like to have them for my website and malware analysis and are nowhere necessary security-wise. Some folks like to have Ghostery. Also I do not run extensions that work via a proxy port because I would not like to miss the scanning of the avast shields.
So again with NS and RP installed you have all the in-browser security you need and are better protected than most users,

pozdrawiam,

polonus

Thank you for your reply. I can only add that I’m using ABP+ with 3 subscriptions.