Wednesday, August 15, 2012

Find: Improving Browser Security with CSP

Improving Browser Security with CSP

If you are using Firefox 4, you now have an extra layer of security when accessing mobile.twitter.com.

Over the past few weeks we've been testing a new security feature for our mobile site. It is called a Content Security Policy, or CSP. This policy is a standard developed by Mozilla that aims to thwart cross site scripting (XSS) attacks at their point of execution, the browser. The upcoming release of Firefox 4 implements CSP, and while the mobile site may not get a high volume of desktop browser traffic (the desktop users hitting that site typically have low bandwidth connections), it has given us an opportunity to test out a potentially powerful anti-XSS tool in a controlled setting.

CSP IN A NUTSHELL

In a typical XSS attack, the attacker injects arbitrary Javascript into a page, which is then executed by an end-user. When a website enables CSP, the browser ignores inline Javascript and only loads external assets from a set of whitelisted sites. Enabling CSP on our site was simply a matter of including the policy in the returned headers under the CSP defined key, 'X-Content-Security-Policy'.

The policy also contains a 'reporting URI' to which the browser sends JSON reports of any violations. This feature not only assists debugging of the CSP rules, it also has the potential to alert a site’s owner to emerging threats.

IMPLEMENTING THE FEATURE

Although activating CSP is easy, in order for it to work correctly you may need to modify your site. In our case it meant removing all inline Javascript. While it is good practice to keep inline Javascript out of your HTML, it is sometimes necessary to speed up the load times on slower high-latency mobile phones.

We began our explorations by restricting the changes to browsers that support CSP (currently only Firefox 4) in order to lessen the impact on users. Next, we identified all the possible locations of our assets and built a rule set to encompass those; for example, things such as user profile images and stylesheets from our content delivery network.

Our initial trials revealed that some libraries were evaluating strings of Javascript and triggering a violation, most notably jQuery 1.4, which tests the 'eval' function after load. This wasn’t totally unexpected and we modified some of the libraries to get them to pass. Since jQuery fixed this in 1.5, it is no longer an issue.

INITIAL RESULTS

After a soft launch, we ran into some unexpected issues. Several common Firefox extensions insert Javascript on page load, thereby triggering a report. However, even more surprising were the number of ISPs who were inadvertently inserting Javascript or altering image tags to point to their caching servers. It was the first example of how CSP gave us visibility into what was happening on the user’s end. We addressed this problem by mandating SSL for Firefox 4 users, which prevents any alteration of ...

No comments:

Post a Comment