The latest version of Mozilla's Firefox web browser, version 4, was released this week with a number of new security features, including a mechanism for preventing web-based attacks.
The Content Security Policy security feature was enabled to stop common web-borne attacks, such as cross-site scripting and data injection by providing a way for sites to tell the browser which content was legitimate.
It allowed website administrators to reduce cross-site scripting vectors by specifying those domains the browser should consider valid sources of executable script. A compatible browser will then execute only scripts loaded from approved domains.
Twitter on Tuesday said that implemented the feature for its mobile site and will deploy it elsewhere over the next months.
“We expect Content Security Policy to be widely adopted very quickly,” Brandon Sterne, security program manager at Mozilla, wrote in a blog post.
“There are popular commercial websites like Twitter which are already using it, and there are CSP plugins for many of the popular content management systems like WordPress, Django and Drupal.”
The feature can also help mitigate so-called clickjacking and packet-sniffing attacks, Mozilla said.
The SANS Internet Strom Center, an all-volunteer cyberthreat intelligence website, was also testing it, said Johannes Ullrich, chief research officer for the SANS Institute.
“I am excited about it,” Ullrich said. “It's probably the most meaningful protection we have in the browser at this point. Developers shouldn't become complacent and rely on that. You still need to prevent XSS in your website, but it does add an important layer to protect the user.”
Meanwhile, Firefox 4, downloaded 7.1 million times within 24 hours of being released, also includes a number of other security and privacy features, including a mechanism for automatically establishing secure connections with websites. The feature, called HTTP Strict-Transport-Security (HSTS), is designed to stop man-in-the-middle attacks by allowing sites to specify that they only wish to be accessed over HTTPS.
“If the ‘Strict-Transport-Security' header is set, the browser will refuse any attempt to connect to the site via HTTP,” Ullrich wrote in a blog post Wednesday.
“The threat model here is that an attacker will inject a redirect to the HTTP version of the site while the user is browsing a non-HTTPS site. This could lead to the disclosure of confidential information like authentication cookies.”
The latest version of Firefox had a privacy feature to allow users to opt out of tracking used for behavioural advertising. In December, the Federal Trade Commission suggested browser makers adopt such a capability to safeguard consumers' online activity.
If enabled, the feature sent a "do-not-track" HTTP header to every web page that is visited in Firefox. A similar feature was included in the newly released Internet Explorer 9.
"I really like the do-not-track mechanism," said Carole Theriault, senior security consultant at anti-virus maker Sophos.
"It allows people who want to keep their browsing habits private to do just that, really simply."
