Mozilla Aims At Cross-Site Scripting With FF3
Will the new standard end the threat of the popular attack vector?
Web 2.0 has enabled a broad array of Websites to be more engaging for users. It has also enabled a new and now very common attack, namely cross site scripting, commonly referred to as XSS attacks (define).
Mozilla is aiming to put an end to XSS attacks in its upcoming Firefox 3 browser. The Alpha 7 development release includes support for a new W3C working draft specification that is intended is secure XML over HTTP requests (often referred to as XHR) which are often the culprit when it comes to XSS attacks. XHR is the backbone of Web 2.0 enabling a more dynamic web experience with remote data.
"Cross site XMLHttpRequest will enable web authors to more easily and safely create Web mashups," Mike Schroepfer, Mozilla's vice president of engineering, told internetnews.com.
"It is one of many advanced Web standards that we are implementing in Firefox 3 and look forward to the world adopting."
The W3C working draft is officially titled, "Enabling Read Access for Web Resources." It's intended to define a mechanism by which Web developers can safely provide cross-site Web resource access. The specification will let developers define via an HTTP header or an XML instruction which sites are allowed read-access and which are not.
A typical XSS attack vector is one in which a malicious Web site reads the credentials from another that a user has visited. The new specification could well serve to limit that type of attack though it is still incumbent upon Web developers to be careful with their trusted data.
The W3C working draft warns that "user agents which implement this specification should take care not to expose other trusted data (cookies, HTTP header data) inappropriately."
Of course, it's also wise to consider the source.
"Application authors should be aware that content retrieved from another site is not itself trustable," the W3C working draft advises. "Authors should take care to protect against exposing themselves to cross-site scripting attacks by rendering or executing the retrieved content directly without validation."
In addition to the new XSS support in Firefox 3 Alpha 7, Mozilla developers have also fixed some bugs and implementation errors that cropped up in the Alpha 6 release, which came out in early July.
The latest release isn't just about bug fixes and new feature support. Mozilla developers have actually dropped support for the SOAP (define) Web services messaging protocol, according to the official Alpha 7 release notes. (It still runs in Firefox 3, however.)
"The SOAP implementation dropped from Firefox 3 was only available to extension authors, who have many other more modern implementations to choose from," Schroepfer explained. "We are, in general, removing as much old code from the core browser as possible to improve security, reduce download size, and allow Web and extension authors to choose the latest support libraries they need."