New Firefox security technology blocks Web attacks, Mozilla claims

Delivers browser preview with 'Content Security Policy' spec, hopes rivals follow its lead

1 2 Page 2
Page 2 of 2

"Both the Internet Explorer and Chrome teams have contributed to the design discussions of the specification," said Sterne. "They have some tentative interest in implementing it at some point in the future."

Earlier this year, Eric Lawrence, a program manager on Microsoft's Internet Explorer (IE) team, called CSP "a good idea" and "a promising approach" in a pair of entries on the official IE blog, but did not commit Microsoft to supporting the technology.

"It's great to see that others are taking this threat seriously, as well," said Sterne.

Google, the maker of Chrome, was not available over the weekend, but the company has previously said it generally doesn't comment on future product development.

Mozilla must also convince site and application developers that it's worth their while to use CSP. Nightingale and Sterne declined to name the sites that have expressed interest in using the technology.

"The first step is for us to use it," said Nightingale, adding that Mozilla would turn one of its online properties into a guinea pig to show others that CSP is possible, and to iron out problems.

The pair was also vague about when CSP would debut in a production version of Firefox. The one thing they did say was that it wouldn't show up in the minor upgrade, Firefox 3.6, that's to ship in November. The first, and likely only, beta of Firefox 3.6 is slated to ship Oct. 13.

"Whatever comes after 3.6, that's the earliest," said Sterne.

Mozilla isn't the only browser maker trying to protect users from cross-site scripting attacks. Microsoft, for example, added a cross-site scripting filter to IE8 that the company said would block most attacks.

Preview builds of Firefox with CSP enabled can be downloaded for Windows, Windows Mobile, Mac and Linux from Mozilla's server. Sterne has also posted a demonstration page that graphically shows how various scripts are blocked by the technology.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon