Mozilla Content Security Policy

[Foam Head]

It looks like Mozilla is actively working towards putting some XSS, CSRF, and click-jacking protections into their browsers. Their Content Security Policy seems reasonably detailed and is targeted to incorporate at least some of the protections that NoScript offers. Since CSP is optional and can be implemented via HTML meta tags that can be spoofed on a compromised site, I don't see NoScript going away any time soon. However I have to ask: Giorgio, are you involved with CSP in any official capacity? And do you think CSP is going in the right direction or is it simply a misstep that will further cloud the already foggy browser security landscape?

Thanks,
-Foam

[therube]

(Earlier thread, You need two to tango - host and browser- CSP!)

[Giorgio Maone]

Giorgio, are you involved with CSP in any official capacity?

I've been asked for advice by Brandon Sterne, the CSP lead at Mozilla, in the early CSP design stages (when it was still called SSP), and I'm still indirectly involved as a member of the Mozilla Security Group.

And do you think CSP is going in the right direction or is it simply a misstep that will further cloud the already foggy browser security landscape?

I do not think it's a misstep at all. It would be great if it got wide adoption on the client, and especially on the server side (the two are strictly interdependent, obviously).
Notice, though, that its scope is very limited: while it's a great answer to XSS if correctly implemented on the server side (which is unlikely to be done better than current "secure development" best practices, except for larger sites with very good IT staffers), its merits against clickjacking are unlikely and it can't do anything against CSRF: that's why NoScript, ClearClick and ABE are orthogonal to CSP, rather than a competitors.