Mozilla launches "pre-view"version of supersafe Firefox with CSP

General Topics
1

Hi users of Mozilla’s Firefox,

Mozilla launches supersafe Firefox-version

Mozilla security has been working for some time now on a project against cross site scripting exploits, and now has launched a Firefox version that has the CSP (Content Security Policy) so sites can tell what content is legit. So all content that is not authorized by the site in question will be ignored.This will make all cross site scripting attacks a thing of the past.

Adding of the code will soon come to Firefox, but for those that cannot wait like Polonus there is a “preview build” of Minefield, we are proud to present this says Security Program Manager, Brandon Sterne.
The new Firefox security version can be downloaded here: https://build.mozilla.org/tryserver-builds/bsterne@mozilla.com-1254264686/

Polonus is testing the rough sites of the browser, everything in the browser is running with all security extensions, thanks to Nightly Tester tools, like in my Namoroka 3.6 version, the testing version I normally use. Even run this secure version now as a Portable Apps on my pendrive.

CSP Standard will come to Firefox 3.6, and will be available for all users in that version.

Comments of No-Script developer, Giorgio Maone on http://forums.informaction.com/viewtopic.php?f=10&t=1790

-Do you think CSP is going in the right direction or is it simply a misstep that will further cloud the already foggy browser security landscape?

-I do not think it’s a misstep at all. It would be great if it got wide adoption on the client, and especially on the server side (the two are strictly interdependent, obviously).
Notice, though, that its scope is very limited: while it’s a great answer to XSS if correctly implemented on the server side (which is unlikely to be done better than current “secure development” best practices, except for larger sites with very good IT staffers), its merits against clickjacking are unlikely and it can’t do anything against CSRF: that’s why NoScript, ClearClick and ABE are orthogonal to CSP, rather than a competitors,

For the bold of heart here, live in the future, and try it out,

polonus